WireX Variant Capable of UDP Flood Attacks

F5 Labs has detected a WireX variant capable of launching UDP flood DDoS attacks.

The WireX botnet presented defenders with many superlatives: the largest mobile botnet ever; hundreds of mobile apps spreading application-layer DDoS malware; unprecedented cooperation between technology companies—even competitors—to halt some of its activities.

And now a companion piece to WireX has emerged that retreats right back to traditional DDoS activity, concentrating on UDP flood attacks through Android devices.

Researchers at F5 Labs said the bot sample they’ve analyzed creates 50 simultaneous threads, each capable of sending 10 million UDP packets, each packet weighing in at 512 bytes. The severity of these attacks depends on the infected device hardware, according to F5 security research manager Maxim Zavodchik.

“The hardcoded 10M packets per each thread doesn’t say how many packets per second can be sent,” Zavodchik said.

F5 said this variant shares the same command and control server domain and some identical code to the WireX malware disclosed last week. The first public version of WireX was spread through hundreds of mobile apps—300 of which have been removed from Google Play—that were sending an overwhelming number of requests over HTTPS to websites in an attempt to crash those webservers.

“Currently it seems that the attackers are in a ‘testing’ phase, trying to infect as many devices as they can,” Zavodchik said. “It seems like there are many different variants in the wild. [The] same C&C server serves different variants and there is currently no ‘version upgrade’ functionality in the malware. All versions are participating in the same attack.”

F5 published a report Tuesday that explained how the UDP flood bot browses a command and control URL (u[.]axclick[.]store) to receive a response with the target domain and port details. They also saw a feature served by the C&C URL that causes the malware to open the default Android browser 10 times to browse the target URL. This is similar behavior to click-fraud malware; last week’s report on WireX said the malware shared characteristics with the Android Clicker click-fraud malware. Researchers from a coalition of companies that disclosed the WireX operation last week said the attackers behind this malware likely moved toward DDoS attacks in the recent past.

F5 backed up its claims this malware isn’t up to par or maturity with other DDoS malware.

“The attack execution routine is a bit different from most DDOS malware families. To maintain a continuous flood of packets and better orchestration, usually there are two concurrent executions—one to poll the C&C server for commands and another to execute the packet-sending loop, which executes until it is instructed to stop. Some malware get an attack duration from the C&C server as an attack parameter. The WireX malware doesn’t seem to support this. The attack loops seem to have a constant number of requests/packets sent, and the attack might not stop until it polls the C&C again. In the malware variants we have analyzed, the C&C server is polled in 60 second intervals (and on application launch and network connectivity change events). During a single GET flood loop, it sends 100 requests.”

Zavodchik said UDP flood attacks are easier and faster to pull off because they don’t require a TCP handshake the way HTTP flood attacks do.

“It also allows source IP address spoofing, though this malware doesn’t support it,” he said.

WireX made news last week when a number of tech companies including Google, Oracle, Cloudflare, Akamai and others said this was the largest mobile botnet ever seen. WireX was targeting primarily businesses in the hospitality, pornography and gambling industries with some attacks leaving behind a ransom note demanding an unnamed payment.

Google removed the offending apps from its marketplace and was in the process last week of removing the apps from Android devices through its Play Protect service. Law enforcement had been informed of the activity, including the domains serving malware and commands, but as of last week those sites were still up and running.

Some data shared by the collaborating companies indicates that at a minimum, 70,000 devices from more than 100 countries are infected. Akamai reportedly saw spikes of 120,000 unique IPs involved. The fluctuation in numbers could be due to the fact that as mobile devices move from one cell tower to the next, new IPs are generated each time.

Suggested articles