Security

How a consortium of security professionals took down the WireX Android botnet

A recent Android botnet would have gone unnoticed and unstopped if not for collaboration and cooperation between major tech companies. Are we getting a first glimpse at the future of cybersecurity?

Android devices in over 100 countries were recently hijacked and turned into nodes for the WireX botnet, Akamai reported in a blog post explaining the attack.

WireX operates in the background of seemingly legitimate apps, where it waits for instructions from its command and control (C&C) server for instructions. It then attacks targets through volumetric DDoS attacks, deluging servers with HTTP GET and POST requests.

Google reported finding WireX code in approximately 300 Play Store apps, and has removed them and begun eliminating installs from Android devices.

Google credited the efforts of Akamai, Cloudflare, Flashpoint, Oracle Dyn, RiskIQ, Team Cymru, its own researchers, and others as key players in the quick response to WireX, with Akamai adding that the "discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms."

SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)

Fragmentation in the cybersecurity world is nothing new: Organizations want to hold their secrets close rather than passing them along to the competition: an attitude that is only harming everyone.

One needs only to look to the IoT world to see that fragmentation is rampant, making it difficult (if not impossible) to adequately secure devices and networks. WireX and the collaboration it engendered can't be a one-off event if our connected world is to be a safe one.

botnet.jpg
Image: iStock/bagotaj

The WireX timeline

WireX first appeared on August 2, 2017, and went largely unnoticed due to the small scale of its attacks. It wasn't until it hit multiple content delivery networks (CDNs) on August 17 that it garnered attention.

The formal discovery of WireX was made on August 26 when logs revealed attacks from over 70,000 concurrent IP addresses.

SEE: 2017 IT Security & Ethical Hacking Certification Training (TechRepublic Academy)

Researchers from CDNs reached out to other potential targets to share information, which led to the discovery of a particular signature that pointed to an Android APK. Samples were downloaded and decompiled, which led to an understanding of how WireX infected devices and operated.

Toward a collaborative model of cybersecurity

"Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery," Akamai's WireX report said.

Large-scale attacks like WireX, the Mirai Botnet, WannaCry, and NotPetya may be what captures the headlines, but it isn't just those attacks that could be curtailed through cybersecurity collaboration.

Akamai says it's also entirely possible for organizations to share pertinent information without revealing company secrets by making available packet captures, attacking IP addresses, ransoms, request headers, and other patterns that hint at multi-target attacks.

Companies can ensure nothing confidential is leaked by removing any legitimate traffic or sensitive information, all while building a cooperative, open threat database.

"There are few benefits to being secretive and numerous benefits to being forthcoming," Akamai's report says—and it's correct. If responsible parties don't embrace security collaboration hacks, then identity theft, ransomware, and cyberwarfare are only going to become more prevalent and possible.

Also see:

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox