On the 17th of August, a lot of content providers and delivery network companies were attacked by a botnet called WireX. A multitude of Android devices was being used to launch the attack to the targeted victims through malicious applications on the devices that are running in the background and is programmed to create DDoS traffic.
The earliest signs of attacks
It was on the 2nd of August when the first signs of WireX botnet attack came, but it went on unnoticed at that time. It was only discovered when researchers began analyzing logs and then looked for the 26 character User-Agent string within the logs. Most likely during that stage, it was in the early stages of its development due to its minimal effects.
Why should we be troubled?
Website owners should be worried because those in control of the botnet now have the capability to take down several large websites – putting junk traffic to it and then by consuming too much bandwidth, the website’s pages and services will go down. One should be very conscious about website malware attacks and it’s available protection. Too bad it was used for evil purposes such as causing bad publicity and disruption of legitimate services.
How it attacks
WireX uses the application layer of apps to launch attacks, being able to harness massive force depending on the number of Android devices it has already affected.
Majority of the affected applications were easily downloaded from Google Play Store, there were over 300 applications reportedly discovered which carries the malware launching the botnet through the apps. The botnet starts a background process on the affected Android device that would seem to launch an unseen browser and emulate series of endless legitimate browsing activities that would look like a human being has done it. The traffic mainly generated by the attack nodes is by HTTP (get) requests, however, there are some variants that was capable of issuing POST requests.
Google removed the discovered apps from the Play Store as soon as they got the report of the incidents, and currently, they are working on removing the apps from the phones of the affected Android devices.
To anyone who suffered a DDoS Attack you may want to verify the following pattern of User-Agent series if it was WireX botnet:
What can be done during an attack?
It ought not to be the matter of amazement and stun when even your affirmation saying yes on anything can hurt you. We saw new sort of Voice Phishing and its conceivable outcomes. Security professionals should gather data and metrics and then share it. With the information gathered, experts and those who have the means to counter it can learn much more about it.