WireX DDoS Botnet

The WireX malware has been targeting Android devices and was found contained in many apps available for download on Google Play Store. The malware is designed to compromise devices for use in a botnet.

Threat ID:: CC-1620
Category:: DOS, Trojan, Botnet
Threat Severity:: Low
Threat Vector:: Download
Published:: 1 September 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Android

Threat details

The WireX botnet ranges between 30,000 and 120,000 compromised devices and has been used to carry out numerous Distributed Denial of Service (DDoS) attacks throughout August 2017.

Approximately 300 apps have been removed from Google Play Store after been identified as containing the WireX malware. A list of removed applications doesn’t currently exist.

Once the WireX malware is downloaded, it will wait for further instructions from its Command & Control (C2) server before it is activated.

The following User-Agent strings were identified in many logs from earlier DDoS attacks:

User-Agent: jigpuzbcomkenhvladtwysqfxr
User-Agent: yudjmikcvzoqwsbflghtxpanre
User-Agent: mckvhaflwzbderiysoguxnqtpj
User-Agent: deogjvtynmcxzwfsbahirukqpl
User-Agent: fdmjczoeyarnuqkbgtlivsxhwp
User-Agent: yczfxlrenuqtwmavhojpigkdsb
User-Agent: dnlseufokcgvmajqzpbtrwyxih

Any organisation that has suffered a DDoS attack during the month of August 2017 is recommended to check their logs for the above IOC’s. This will help identify whether it was the WireX botnet that was involved in the attack.

**Update 15/09/2017**

The researchers which initially found the WireX malware have now found a variant which includes User Datagrama Protocol (UDP) flood capabilities. A WireX bot is capable of creating 50 threads each sending up to 10 million UDP packets at 512 bytes in size.

Remediation steps

Type	Step
	Consider the use of a third party DDoS mitigation tool. Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose. Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation. Ensure that any corporate Android devices are up-to-date with patches and specifically the Google Play Store updates. Consider whitelisting applications on any corporate Android devices.

Type

Step

Consider the use of a third party DDoS mitigation tool.
Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose.
Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.
Ensure that any corporate Android devices are up-to-date with patches and specifically the Google Play Store updates.
Consider whitelisting applications on any corporate Android devices.

Last edited: 17 February 2020 11:41 am