Protecting Mobile Networks from WireX Botnet

By Sanjai Gangdharan, Regional Director SAARC, A10 Networks

In October 2016, the Mirai botnet commanded a number of devices such as routers, webcams, DVRs, IP cameras, thermostats, digital video recorders and other Internet-connected devices, to deploy DDoS payloads that surpass 1 Tbps throughputs. The botnets were used to launch massive DDoS attacks to take down servers, applications, services, and websites. It appears Mirai may have some competition. And its name is WireX Botnet.

Google recently removed roughly 300 apps from its Play Store after researchers found that the apps in question were secretly hijacking Android devices to feed traffic to wide-scale distributed denial of service (DDoS) attacks against multiple content delivery networks (CDNs) and content providers.

According to a team of researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru and other organizations, the WireX botnet is to blame.

Akamai researchers first discovered WireX when it was used to attack one of its clients, a multinational hospitality company, by sending traffic from hundreds of thousands of IP addresses.

“The WireX botnet comprises primarily Android devices running malicious applications and is designed to create DDoS traffic. The botnet is sometimes associated with ransom notes to targets,” Cloudflare wrote in a blog post.
WireX used the hijacked devices to launch the volumetric application-layer DDoS attacks, Cloudflare noted. The traffic generated by the attack nodes was primarily HTTP GET requests, though some variants appeared to be capable of issuing POST requests. In other words, the botnet produces traffic resembling valid requests from generic HTTP clients and web browsers.

The malicious applications in question included media and video players, ringtones and other tools like storage managers. According to Gizmodo, the nefarious apps contained hidden malware that could use an Android device to participate in a DDoS attack as long as the device was powered on.

It’s unclear how many devices were infected – one researcher told KrebsOnSecurity that WireX infected a minimum of 70,000 devices, but noted that estimate is conservative. It is believed that devices from more than 100 countries were used to participate in the attacks.

“Seventy thousand was a safe bet because this botnet makes it so that if you’re driving down the highway and your phone is busy attacking some website, there’s a chance your device could show up in the attack logs with three or four or even five different Internet addresses,” Akamai Senior Engineer Chad Seaman said in an interview with KrebsOnSecurity. “We saw attacks coming from infected devices in over 100 countries. It was coming from everywhere.”

WireX, much like its predecessor Mirai, illustrates the importance of protecting your network and applications from attacks. Large-scale attacks can come from anywhere, even a botnet comprising tens of thousands of Android devices. As these types of attacks grow in frequency, sophistication, and size, organizations need to solutions in place to stop them before they have the opportunity wreak havoc.

WireX is unique in that it introduces a new threat: Weaponized smartphones, which introduces billions of endpoints ripe for an infection that can propagate bad agents upon a mobile network.

Traditionally, mobile and service provider networks are protected against attacks that come in through the Internet. However, many critical components are left unprotected based on the assumption that attacks will be stopped at the Internet edge. Attacks like WireX change this paradigm.

“WireX proves that attacks can originate from inside a mobile network as well, and a few thousand infected hosts can affect the brain of a mobile network,” A10 Director of Product Management Yasir Liaqatullah said. “These infected smartphones will eventually start to attack the critical components of mobile networks, and the potential fallout from that could be tremendous.”

Attacks like WireX reinforce the need for service providers to protect their key assets on all fronts – not just from attacks from the outside, but from the inside as well.

To combat attacks like WireX, service providers and mobile network operators need an intelligent, scalable DDoS defense solution between smartphones and the mobile network infrastructure, both the internal and external. To address this sophisticated type of attack, a modern DDoS solution requires intelligence to understand the changing nature of a polymorphic attack, which has the ability to change signatures and varying headers, like those launched by WireX.

Placing high-performance, scalable and intelligent threat protection in the mobile network will help service providers defend against these billions of weaponized endpoints and empower them to detect online threats and multi-vector attacks types of attacks, learn from them and, most importantly, stop them.

A multi-layered approach will ensure service providers’ and mobile operators’ entire infrastructure – both inside and out – is protected from threats. Also, a high-performance DDoS solution can protect against megabit to terabit multi-vector DDoS attacks, like those fueled by WireX.