Security researchers from several companies have teamed up to take down a DDoS botnet made up of Android devices.
Security experts from numerous companies, including Google, Flashpoint, Oracle Dyn, Team Cymru, Akamai, Cloudflare, and others, have taken down the WireX botnet, which was discovered a couple of weeks ago. What made WireX stand out was that it was built out of Android devices that had been infected with malware via third-party app stores, or even apps that bypassed the Google Play Store security checks. According to data, the bots spread over 120,000 unique IP addresses, indicating a high infection rate.
The researchers believe the attackers started putting together the botnet in mid-July, but it only managed to get the attention of security researchers on August 17, when it was used for a Distributed Denial of Service attacks. The attacks were powerful enough to bring down various services, researchers said, and they even captured the attention of law enforcement agencies after the attackers also demanded ransom be paid by the targeted organizations.
Unlike on other occasions when a single organization tried to take down a massive botnet, this time around, the many companies, who are normally competitors, decided to team up for a fast job.
The participants of the investigation published identical technical reports following the incident. In it, it is mentioned that WireX had the capability of launching attacks that exhausted server memory resources, which caused online services to go down like flies. The botnet did not manage to jam server bandwidth, however.
Instead of playing heroes, the security firms managed to get the job done by working together, putting all the data they each had together in order to identify all the bots, figure out how the victims got infected, and tracking down some 300 Android apps carrying the WireX malware. Google did its job too by removing the apps from the Play Store and even to remove the malicious apps from the infected devices.
Most of the apps that were removed fell into the categories of media and video players, ringtones, or tools such as storage managers.
Cooperation is key
Thankfully, the job was done quickly, and the companies say they have learned a lot from previous experiences with other massive botnets, such as Mirai, or even with widespread cyber attacks.
“In the wake of the Mirai attacks, information sharing groups have seen a resurgence, where researchers share situation reports and, when necessary, collaborate to solve Internet-wide problems. Further, WannaCry, Petya and other global events have only strengthened the value of this collaboration. Many information sharing groups, such as this one, are purely informal communications amongst peers across the industry,” reads the statement released by the participating companies.
They all admit that these discoveries were only possible due to the open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms, each playing an important role and holding a key to the puzzle.
Hopefully, we will see this type of collaboration in the future as well, in order to better mitigate DDoS attacks or widespread incidents such as WannaCry and NotPetya, which are becoming increasingly frequent. Only by doing so we can have a more secure life online, especially now that the number of attacks is on the rise.