Resultados 1 a 3 de 3
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] Android Botnet WireX: 300+ apps removidos da Google Play Store

    Researchers suspect the botnet was first intended for click fraud but then repurposed for DDoS.

    Jeremy Kirk
    August 29, 2017

    Several big-name IT companies say they've collaborated to investigate and defang a botnet dubbed WireX that leveraged at least 70,000 Android devices to stage distributed denial-of-service attacks. It's perhaps the largest ever botnet to be discovered that harnesses Android devices.

    The botnet code was tucked within hundreds of apps within Google's Play Store, the repository for Android-compatible applications, and other third-party Android app marketplaces. Researchers suspect the botnet was first intended for click fraud but then repurposed for DDoS.

    "That's interesting because the sophistication of people that run those kind of [click fraud] botnets is a lot higher than what we would see in DDoS," says Nick Rieniets, senior security specialist with Akamai Australia and New Zealand. "You are seeing a convergence of those two worlds."

    The malicious apps lured people by offering ringtones, free media players and Android administration tools. Inside the apps was DDoS attack code that could be directed to attack websites and services, although the victims were not identified.

    Google says it has removed 300 tainted apps from its Play Store, a surprisingly high number that somehow escaped the company's security inspections for new apps. It has also tweaked Play Protect, its new app security feature, to remove infected apps from phones and block installs.

    Google had put a great deal of effort into cleaning up the Play Store and proactively spotting apps that purport to be legitimate. But somehow these malicious ones slipped by.

    Industry Hugs

    The companies that lifted the lid on WireX - Akamai, Dyn, Flashpoint, Cloudflare and RiskIQ - issued identical press releases on Monday discussing their findings.

    The somewhat unorthodox cooperation among the companies was attributed to greater cooperation following last year's Mirai IoT attacks and two bouts of virulent ransomware, WannaCry and NotPetya, earlier this year.

    "I've never seen that [cooperation] in the security industry in 20 years," Rieniets says. "It's certainly the industry growing up."

    The first attacks, which were little noticed, have been traced back to Aug. 2. But it wasn't until Aug. 17 that attack analysis revealed "devices from more than 100 countries participated, an uncharacteristic trait for current botnets," the companies write.

    The attacks all left an Android-related signature in logs, which then prompted analysts to attempt to figure out what applications were generating the attack traffic. They found many.

    The DDoS traffic looked like regular HTTP traffic, as if normal users were repeatedly browsing to one of the sites that the botnet controllers commanded the apps to attack. When a phone was attacking a site, users were completely unaware, because the attack occured in the background, even when the phone is asleep.

    Did You GET that?

    The tricky part of this attack is that it used GET requests, which is regular HTTP traffic. The malicious apps launched a "headless" web browser in the background, which couldn't be seen by the owner of the phone. A command-and-control server supplied a target, and the traffic began flowing to the targeted service.

    Rieniets says such attacks are difficult to mitigate because the traffic looks like regular users trying to visit a site. "If you start getting a flood of GETs among normal ones from browsers and apps, it [could] be challenging for organizations to make accurate decisions" about who to block, he says.

    Many ISPs run so-called "clean pipe" DDoS mitigation defenses, which attempt to only deliver the legitimate, non-bot traffic. But WireX's strategy - to look like real users - made it difficult to parse good and bad traffic.

    WireX is also cleverly coded to actually respond to JavaScript challenges, Rieniets says. Most bots won't respond to JavaScript challenges, which are used to detect certain characteristics of website visitors in order to try to distinguish bots from regular users.

    Constant Innovation

    Why those who created WireX decided to harness Android devices remains a mystery. But it shows, like the Mirai worm last year, that there is constant innovation among attackers (see Fast-Spreading Mirai Worm Disrupts UK Broadband Providers).

    "It's unusual from a DDoS perspective to see this kind of vehicle [Android] being used," Rieniets says.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Shady links, questionable emails, pirated videos, and ... the Google Play Store?

    "Mobile devices will routinely change IP address as they move from cell tower to cell tower and this aspect makes estimating the size of a botnet uniquely challenging," Justin Paine, Head Of Trust and Safety at Cloudflare told eWEEK.

    Conservative estimates put the number of infected Android systems at 70,000, although researchers say it could actually be much higher.

    Jack Morse

    Malware authors have long used any and all tools at their disposal to trick victims into downloading malicious software, but the latest app-powered botnet uncovered by researchers in early August makes it clear that even marquee sources like Google may not be as secure as initially thought.

    Dubbed WireX by security researchers, the latest online threat targeted Android phones and hid behind approximately 300 different apps that could all be downloaded via the Google Play Store. According to Krebs on Security, once downloaded, the software — which masqueraded as legitimate programs like ringtones and video players — roped a user's phone into a large botnet that was harnessed to attack websites with distributed denial-of-service attacks.

    Conservative estimates put the number of infected Android systems at 70,000, although researchers say it could actually be much higher. Let's be real, that's pretty bad. It's even worse that those devices were potentially used to power a criminal enterprise all because their owners decided to download something via a Google distribution service.

    The Mountain View-based company, upon discovery of the compromised apps, moved quickly to remove them from the Play Store. "We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices," a spokesperson told Mashable via email. "The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere."

    And that's welcome news. However, just because the WireX malware no longer has a distribution home on Google Play doesn't mean we're all free and clear. This could happen again.

    "What we find very often in this space is that when a new type of event or attack takes place it provides a playbook for the other bad actors," Gary Davis, the Chief Consumer Security Evangelist at McAfee, wrote over email. "We expect that we could see more of these botnets show up in the future if cybercriminals continue to be successful."

    Notably, Davis doesn't see this same level of danger for Apple's App Store — meaning it's Android users in particular that are at risk. Why? Well, according to Davis, the Google Play Store is in some sense a victim of its own success.

    "While Apple has been very successful in selling the iPhone, Android has more phones out in the market which makes it a bigger target for cybercriminals," Davis noted. "Also, Android is distributed across numerous carriers and manufacturers, which makes it more challenging to provide updates across its user base. This can lead to many consumers using older Android operating systems that could leave them susceptible to an attack."

    While Android users may be at a greater risk for mistakenly downloading malware than iPhone owners, both groups can take steps to protect themselves. Davis emphasized that reading app reviews is an easy way to see if anything appears fishy, and that when in doubt simply don't download.

    Truthfully, as malware creators continue to find new and creative ways to spread their wares, this is solid advice for anyone with a smartphone — especially individuals that rely on Google Play.

    "The growth in mobile has made it a lucrative target for the bad guys," Davis cautioned, "and we expect to see more of these attacks and other types of attacks in the future as cybercriminals continue to realize success."

    So buckle up. This app-based malware ride is far from over.
    Última edição por 5ms; 30-08-2017 às 10:45.

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010


    Brian Krebs
    28 Aug 17


    News of WireX’s emergence first surfaced August 2, 2017, when a modest collection of hacked Android devices was first spotted conducting some fairly small online attacks. Less than two weeks later, however, the number of infected Android devices enslaved by WireX had ballooned to the tens of thousands.

    More worrisome was that those in control of the botnet were now wielding it to take down several large websites in the hospitality industry — pelting the targeted sites with so much junk traffic that the sites were no longer able to accommodate legitimate visitors.


    Experts involved in the takedown say it’s not clear exactly how many Android devices may have been infected with WireX, in part because only a fraction of the overall infected systems were able to attack a target at any given time. Devices that were powered off would not attack, but those that were turned on with the device’s screen locked could still carry on attacks in the background, they found.

    “I know in the cases where we pulled data out of our platform for the people being targeted we saw 130,000 to 160,000 (unique Internet addresses) involved in the attack,” said Chad Seaman, a senior engineer at Akamai, a company that specializes in helping firms weather large DDoS attacks.

    The identical press release that Akamai and other firms involved in the WireX takedown agreed to publish says the botnet infected a minimum of 70,000 Android systems, but Seaman says that figure is conservative.

    “Seventy thousand was a safe bet because this botnet makes it so that if you’re driving down the highway and your phone is busy attacking some website, there’s a chance your device could show up in the attack logs with three or four or even five different Internet addresses,” Seaman said in an interview with KrebsOnSecurity. “We saw attacks coming from infected devices in over 100 countries. It was coming from everywhere.”



    According to the group’s research, the WireX botnet likely began its existence as a distributed method for conducting “click fraud,” a pernicious form of online advertising fraud that will cost publishers and businesses an estimated $16 billion this year, according to recent estimates. Multiple antivirus tools currently detect the WireX malware as a known click fraud malware variant.

    The researchers believe that at some point the click-fraud botnet was repurposed to conduct DDoS attacks. While DDoS botnets powered by Android devices are extremely unusual (if not unprecedented at this scale), it is the botnet’s ability to generate what appears to be regular Internet traffic from mobile browsers that strikes fear in the heart of experts who specialize in defending companies from large-scale DDoS attacks.

    DDoS defenders often rely on developing custom “filters” or “signatures” that can help them separate DDoS attack traffic from legitimate Web browser traffic destined for a targeted site. But experts say WireX has the capability to make that process much harder.

    That’s because WireX includes its own so-called “headless” Web browser that can do everything a real, user-driven browser can do, except without actually displaying the browser to the user of the infected system.

    Also, Wirex can encrypt the attack traffic using SSL — the same technology that typically protects the security of a browser session when an Android user visits a Web site which requires the submission of sensitive data. This adds a layer of obfuscation to the attack traffic, because the defender needs to decrypt incoming data packets before being able to tell whether the traffic inside matches a malicious attack traffic signature.

    Translation: It can be far more difficult and time-consuming than usual for defenders to tell WireX traffic apart from clicks generated by legitimate Internet users trying to browse to a targeted site.

    “These are pretty miserable and painful attacks to mitigate, and it was these kinds of advanced functionalities that made this threat stick out like a sore thumb,” Akamai’s Seaman said.


    Traditionally, many companies that found themselves on the receiving end of a large DDoS attack sought to conceal this fact from the public — perhaps out of fear that customers or users might conclude the attack succeeded because of some security failure on the part of the victim.

    But the stigma associated with being hit with a large DDoS is starting to fade, Flashpoint’s Nixon said, if for no other reason than it is becoming far more difficult for victims to conceal such attacks from public knowledge.

    “Many companies, including Flashpoint, have built out different capabilities in order to see when a third party is being DDoS’d,” Nixon said. “Even though I work at a company that doesn’t do DDoS mitigation, we can still get visibility when a third-party is getting attacked. Also, network operators and ISPs have a strong interest in not having their networks abused for DDoS, and many of them have built capabilities to know when their networks are passing DDoS traffic.”

    Just as multiple nation states now employ a variety of techniques and technologies to keep tabs on nation states that might conduct underground tests of highly destructive nuclear weapons, a great deal more organizations are now actively looking for signs of large-scale DDoS attacks, Seaman added.

    “The people operating those satellites and seismograph sensors to detect nuclear [detonations] can tell you how big it was and maybe what kind of bomb it was, but they probably won’t be able to tell you right away who launched it,” he said. “It’s only when we take many of these reports together in the aggregate that we can get a much better sense of what’s really going on. It’s a good example of none of us being as smart as all of us.”

    According to the WireX industry consortium, the smartest step that organizations can take when under a DDoS attack is to talk to their security vendor(s) and make it clear that they are open to sharing detailed metrics related to the attack.

    “With this information, those of us who are empowered to dismantle these schemes can learn much more about them than would otherwise be possible,” the report notes. “There is no shame in asking for help. Not only is there no shame, but in most cases it is impossible to hide the fact that you are under a DDoS attack. A number of research efforts have the ability to detect the existence of DDoS attacks happening globally against third parties no matter how much those parties want to keep the issue quiet. There are few benefits to being secretive and numerous benefits to being forthcoming.”

    Identical copies of the WireX report and Appendix are available at the following links:





Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens