A group of security teams from various companies, some of them competitors, worked together to disrupt a distributed denial-of-service (DDoS) attack from the WireX botnet.
The attack, discovered on August 17, revealed that the botnet had incorporated devices from over 100 different countries, a peculiar feature for a DDoS attack which is normally far more geographically localized. The applications that were found to be infected mostly fell into the categories of media players, ringtones, or storage manager applications with hidden features.
The applications appeared to function normally, but upon launch would query a command and control (C&C) server for attack commands which could then be executed by the device without the user’s knowledge.
The infected applications also used the Android service architecture feature that allows apps to access system resources while in the background, so that attacks could be conducted even when the specific application was not in use. Because this type of malware is common with click fraud, including the “Android Clicker” Trojan, researchers believe it is possible that the WireX malware originated as click fraud but was modified to conduct a DDoS attack.
The researchers, from companies such as Akami, Cloudflare, Flashpoint, Google and Oracle Dyn, among others, not only worked together to interrupt the attack, but also collaborated on the subsequent blog posts and press releases related to the action.
As a result of the discovery, Google removed over 300 infected apps from the Google Play store, and is working to have infected apps uninstalled on user devices. Google noted that “the researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.”
The group that successfully disrupted the WireX botnet DDoS attack attributed its success, in part, to the resurgence in information-sharing groups, both formal and informal, in the wake of highly-publicized attacks such as WannaCry, Petya, and last year’s Mirai botnet DDoS attack.
As stated in the group-created blog, the discoveries that led to the identification and successful interruption of the malware were made possible due to open collaboration between targets, mitigation companies and intelligence firms. “Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery.”
The team also shared its experience as an example of how information-sharing groups and open communication allows for a deeper understanding by all parties by showing attack activity on a global scale. “Cross-organizational cooperation is essential to combat threats to the Internet and, without it, criminal schemes can operate without examination.”