Collaboration often gets tagged as a buzzword, long on intent but short on outcome. However, an open collaboration between distributed denial of service (DDoS) targets, mitigation providers and security intelligence firms has transcended jargon to track down and combat the WireX botnet, a tentacled nasty of malicious Android apps intended to initiate widespread DDoS attacks.
Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and other organizations worked together to combat WireX, so named for an anagram for one of the delimiter strings in its command and control protocol, wrote Cloudflare security analyst Jaime Cochran, in a co-authored blog issued concurrently also by Akamai, Flashpoint and RiskIQ.
“This post represents the combined knowledge and efforts of the researchers working to share information about a botnet in the best interest of the internet community as a whole,” she said. “Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery.”
WireX may have been active two weeks before its August 17 hit on content delivery networks (CDNs) and content providers but it is those attacks that gained the attention of security researchers, the blog said. While the first smattering of attacks appeared on August 2 and went mostly unnoticed -- perhaps a beta test of the malware -- more sustained assaults began on August 15, with some emanating from a minimum of 70,000 concurrent IP addresses and peaking at 120,000.
Initial analysis indicated that devices from about 100 countries were involved, an unusual occurrence for botnets, the blog authors said. The collaborators subsequently uncovered a connection between the attacking IPs and malicious apps running on top of the Android OS. Ultimately, the kicker turned out to be some 300 fake apps available on Google’s Play Store. Google was notified a few days ago and has removed most of the affected apps -- ranging from infected media/video players, ringtones and storage managers with hidden features unknown to users -- and begun to uninstall them from devices.
There are important takeaways from this collaboration (as the collaborators themselves articulated):
- For victims and providers, there’s no overstating the positive impact of sharing cybersecurity information and working together when appropriate, a sentiment undoubtedly stemming from the debilitating Mirai, WannaCry and Petya attacks.
- When under a DDoS attack the best thing organizations can do is share detailed metrics of the assault, such as attacking IP addresses, ransom notes, request headers and patterns of interest, to help others to deconstruct it.
- “There is no shame in asking for help. Not only is there no shame, but in most cases it is impossible to hide the fact that you are under a DDoS attack. There are few benefits to being secretive and numerous benefits to being forthcoming.”
- Informal sharing of attack metrics can have a “dramatically positive impact” for those victimized by DDoS bombardments and the wider Internet. Absent sharing, “criminal schemes can operate without examination.”