Security Experts:

Variant of Android WireX Bot Delivers Powerful UDP Flood Attacks

Variant of WireX Android Botnet is Able to Deliver High-volume UDP Flood DDoS Attacks

When several tech companies combined to analyze and hopefully control a new Android-based botnet they called WireX, they described it as focused on low bandwidth HTTP(S) attacks using POST and GET. They missed one variant subsequently analyzed by Qihoo Technology's 360 Flame Labs. This variant of WireX is able to deliver high-volume UDP flood attacks.

Both F5 Networks and Akamai have subsequently analyzed this 'new' variant. Akamai admits that it was 'essentially overlooked' by the original researchers until found and analyzed by Qihoo's Labs. F5 appears to have found it independently. Worryingly, a single bot is capable of generating over 250GB of attack traffic per attack directive.

The analyses show that the INSMainActivity component "runs the show and is responsible for both preliminary bootstrapping and spinning up the command and control (C2) polling services." It polls the p.axclick.store for commands. If it receives a response where the <title> tag is not empty, it spins up the AsyncTask/Vpxbjlowiwzg service. This in turn generates the C2 polling threads, one of which is responsible for the UDP attack logic, including sending out the UDP traffic.

If the initial C2 response contains both a <title> tag and the string 'snewxwri' (WireX is so-named from an anagram of the final 5 characters), then the attack directive string is split() into an Array on this delimiter value. The delimiter separates the target IP address and the port to attack (which is 1337 in Akamai's analysis).

"The UDP attack traffic exiting the infected device uses fairly generic attack characteristics and offers no customization capabilities for the attacker." In this variant/version, the attacker has no options over the packet size, or padding content for the UDP attack -- the bot receives its instructions and runs its attack cycle. Each packet is null (0x00) padded to a length of 512 bytes.

The bot spins up 50 threads. Each thread runs until 10,000,000 packets have been directed at the target, and is replaced by the next thread. "It is possible," writes Akamai, "a victim could receive many more than 500,000,000 packets per a given attacking source.  At these rates, a single host is capable of generating over 250GB of attack traffic per attack directive received."

The attack rate is dependent on the speed of the delivering device and its network connections. "The code does not throttle the attack, and as a result will use all resources available on the device. We noticed our Android phone got surprisingly hot to the touch as a result."

WireX is more complex and dangerous than originally thought. "Discovering, and ultimately confirming, that WireX can also launch UDP-based volumetric attacks is important, as they are more likely to impact additional applications and OSI layers. This further expands the botnet's capabilities, raising additional concerns for defenders." No definite WireX UDP DDoS attack has yet been seen.

"Initial samples of WireX were flagged as click fraud malware," comments Akamai. 

F5 offers a possible explanation:  one command that is triggered only when the application launches is served by the p.axclick.store URL. "It results in the malware opening the default Android browser 10 times and browsing the target URL, which just seems like some basic clickfraud functionality," comment the F5 researchers.

"While it's easy to see how a click fraud bot could be easily repurposed to carry out HTTP(S) attacks, adds Akamai, "this discovery and our research all but confirms that WireX wasn't a click fraud botnet being repurposed to perform DDoS attacks. WireX was purpose built to engage in DDoS attacks from the start. To what end (ransom, ddos-for-hire, etc.), has yet to be fully realized."

F5 also points out that despite the basic nature of the UDP attack itself, "it has good market differentiation in its HTTP functionality. Being based on Android’s WebView class, the thingbot [the term used for IoT-based botnets, such as Mirai] is better equipped with browser-like functionality, making it more resistant to various bot challenges, such as cookie support, redirects, and JavaScript, which are still an obstacle for many DDoS malwares."

What does seem clear is that WireX is at the early stages of its evolution -- but already shows indications that it could develop into a serious threat.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.