Security Experts:

Tech Firms Unite to Neutralize WireX Android Botnet

Major New WireX Android Botnet Neutralized by Cross-Vendor Collaborative Research

Black clouds on the internet do sometimes have a silver lining. Global attacks such as those from Mirai last year and WannaCry/NotPetya this year have fomented informal collaborative global responses -- one of which happened this month when multiple competitive vendors collaborated in the research and neutralization of a major new botnet called WireX.

The collaboration was informal. Security experts often move around the industry, but usually retain good relationships and continue those relationships. This happened with WireX. It first appeared on August 2nd, but was small enough to be ignored. Two weeks later it ramped up into something altogether different. 

In a joint and coordinated announcement and series of blogs, Flashpoint, Akamai, Cloudflare, and RiskIQ have today explained how their researchers, together with researchers from other organizations, detected, collaborated, and ultimately neutralized the botnet.

The initial August 2nd attacks were minimal, suggesting the malware was in development or in the early stages of deployment. "More prolonged attacks have been identified starting on August 15th, with some events sourced from a minimum of 70,000 concurrent IP addresses," say the reports. The targets of the attacks are not specified, but some reports suggest that several large websites in the hospitality sector were taken down.

The attacks were volumetric, attacking the application layer with HTTP GET requests disguised to look like legitimate web traffic. At this level, the attacks were soon detected by multiple cyber security firms, and the collaboration began.

When it did, "the investigation began to unfold rapidly starting with the investigation of historic log information, which revealed a connection between the attacking IPs and something malicious, possibly running on top of the Android operating system." 

Analyses of logs from August 17 attacks implicated a particular Android app. Searches using variations of the application name and parameters in the application bundle revealed multiple additional applications from the same, or similarly named authors, with comparable descriptions. Around 300 apps were located. The attacks themselves seem to have come from more than 100 different countries, indicating a wide and successful distribution of the malicious apps.

"We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we're in the process of removing them from all affected devices," says Google. "The researchers' findings, combined with our own analysis, have enabled us to better protect Android users, everywhere."

Many of the apps appear to be legitimate with benign functions, such as media/video players, ringtones or tools such as storage managers -- but "with additional hidden features that were not readily apparent to the end users that were infected." This malware stayed alive and active in background even when the app itself was not in use.

Existing anti-malware tools already detect the malware as 'Android Clicker', leading the researchers to believe it started life as click fraud malware that was later repurposed as a DDoS tool.

This was not a botnet 'takedown' (such as Kelihos earlier this year) in the usual sense, where industry and law enforcement combine to locate and 'seize' or sinkhole the C2 server or servers (although the researchers do proffer their thanks to "the FBI for their assistance in this matter"). This is more a neutralization than a takedown. The collaborative research by the vendors has resulted in isolating the rules that can stop the malformed GET (and potentially also POST) traffic, while Google's efforts to locate and remove the apps from the Play Store (and cleanse infected devices) stops them being originated.

Almost more important than the botnet neutralization, however, is this new example of collaboration between the different companies concerned. "This research is exciting because it's a case study in just how effective collaboration across the industry is," said Allison Nixon, director of security research at Flashpoint. "This was more than just a malware analysis report. The working group was able to connect the dots from the victim to the attacker. The group also used the information to better mitigate the attack and dismantle the botnet -- and this was completed very quickly."

Akamai's senior network architect and security researcher, Jared Mauch, added, "In the case of the WireX botnet, a direct result of our information sharing and other research collaboration was our ability to fully uncover what made this malicious software tick in a much more timely manner."

"I'm proud of our research team and the researchers who worked together to rapidly investigate and mitigate this dangerous new discovery," said Matthew Prince, co-founder & CEO of Cloudflare.

"The WireX botnet operation shows the value of a collaborative response from security firms, service providers, and law enforcement," said Darren Spruell, threat researcher at RiskIQ.

The hope is that this success becomes a repeated example of how the global industry can collaborate to defeat global threats. "This report is an example of how informal sharing can have a dramatically positive impact for the victims and the Internet as a whole," conclude the researchers. "Cross-organizational cooperation is essential to combat threats to the Internet and, without it, criminal schemes can operate without examination."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.