The WireX botnet took the combined efforts of security researchers and vendors to hobble earlier this year, but the creators of malware used to enslave PCs to the network is back and has increased the WireX arsenal.
In August, researchers from Akamai, CloudFlare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and others joined forces to castrate the WireX botnet, discovered due to targeted attacks against content creators and content delivery networks (CDNs).
The botnet enslaves infected mobile devices and, in the traditional manner of a botnet, uses a command & control (C&C) center to issue commands.
The operator is able to force the slave devices to flood web domains and services with illegitimate traffic without owner consent, leading to distributed denial-of-service (DDoS) attacks which can disrupt services and prevent legitimate traffic from reaching its destination.
Last month, Google discovered the malware had slipped through the net and was hidden within apps hosted on the Play Store. Several hundred apps were quickly removed, but the botnet had already formed.
A series of small attacks took place, but it was not until 17 August that researchers really took note of WireX. On this day, the botnet launched an attack with at least 70,000 concurrent IP addresses, with devices in over 100 countries compromised.
At the time, researchers believed the malware was at the early stages of development, and it seems this prediction has rung true with new functionality now on the horizon.
This week, cybersecurity firm F5 said the firm’s security team has discovered a new companion thingbot — a botnet of compromised mobile and Internet of Things (IoT) devices — to WireX.
In a blog post, the researchers said they have found a variant which, in addition to the original HTTP flooding capabilities used for the DDoS attacks in August, now supports UDP flooding, a type of DoS attack which targets random ports on a victim host with IP packets containing User Datagram Protocol (UDP) packets.
The team analyzed a bot utilizing the malware which contained 50 threads, each of which is able to send 10 million UDP packets of 512 bytes in size.
“Just as in a GET flood, the bot browses a specific command and control (C&C) URL (in this case, “u.axclick.store”) to get the details of the attack target,” F5 explains. “The response includes the target domain and port in the HTML “title” delimeted by the constant “snewxwri” string, similar to the GET flood instruction.”
When the application launches, the malware opens the default Android browser 10 times, which mimics clickfraud functionality — and may evolve into just that in future versions of the malware.
With most DDoS-based malware, there are usually two commands which are sent at the same time to maintain packet flows. One will link to the C&C server for commands, while the other executes a packet-sending loop.
The WireX malware variant does not appear to support this. Instead of asking the C&C server for an attack duration, WireX must constantly request this information.
“When comparing WireX DDoS functionality and modus operandi to the other Windows and Linux DDoS malware families, it still has quite a way to mature as an effective, full-fledged DDoS bot,” the researchers say. “The WireX malware still seems to be in its QA phase, judging by the many slightly different variants in the wild and the limited attack types and functionality it currently provides.”
Previous and related coverage