{ "id": "463dacac-c770-451e-9dc2-d00bd2eef67a", "created_at": "2026-04-06T00:12:41.956057Z", "updated_at": "2026-04-10T03:30:33.755535Z", "deleted_at": null, "sha1_hash": "30e4da67b1ad3e8da12b3390fe87ae36056d6f02", "title": "Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 310533, "plain_text": "Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet\r\nPublished: 2017-08-28 · Archived: 2026-04-05 15:57:09 UTC\r\nA half dozen technology and security companies — some of them competitors — issued the exact same press\r\nrelease today. This unusual level of cross-industry collaboration caps a successful effort to dismantle ‘WireX,’ an\r\nextraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used\r\nthis month to launch a series of massive cyber attacks.\r\nExperts involved in the takedown warn that WireX marks the emergence of a new class of attack tools that are\r\nmore challenging to defend against and thus require broader industry cooperation to defeat.\r\nThis graphic shows the rapid growth of the WireX botnet in the first three weeks of August 2017.\r\nNews of WireX’s emergence first surfaced August 2, 2017, when a modest collection of hacked Android devices\r\nwas first spotted conducting some fairly small online attacks. Less than two weeks later, however, the number of\r\ninfected Android devices enslaved by WireX had ballooned to the tens of thousands.\r\nMore worrisome was that those in control of the botnet were now wielding it to take down several large websites\r\nin the hospitality industry — pelting the targeted sites with so much junk traffic that the sites were no longer able\r\nto accommodate legitimate visitors.\r\nExperts tracking the attacks soon zeroed in on the malware that powers WireX: Approximately 300 different\r\nmobile apps scattered across Google‘s Play store that were mimicking seemingly innocuous programs, including\r\nvideo players, ringtones or simple tools such as file managers.\r\n“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in\r\nthe process of removing them from all affected devices,” Google said in a written statement. “The researchers’\r\nfindings, combined with our own analysis, have enabled us to better protect Android users, everywhere.”\r\nhttps://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/\r\nPage 1 of 5\n\nPerhaps to avoid raising suspicion, the tainted Play store applications all performed their basic stated functions.\r\nBut those apps also bundled a small program that would launch quietly in the background and cause the infected\r\nmobile device to surreptitiously connect to an Internet server used by the malware’s creators to control the entire\r\nnetwork of hacked devices. From there, the infected mobile device would await commands from the control server\r\nregarding which Websites to attack and how.\r\nA sampling of the apps from Google’s Play store that were tainted with the WireX malware.\r\nExperts involved in the takedown say it’s not clear exactly how many Android devices may have been infected\r\nwith WireX, in part because only a fraction of the overall infected systems were able to attack a target at any given\r\ntime. Devices that were powered off would not attack, but those that were turned on with the device’s screen\r\nlocked could still carry on attacks in the background, they found.\r\n“I know in the cases where we pulled data out of our platform for the people being targeted we saw 130,000 to\r\n160,000 (unique Internet addresses) involved in the attack,” said Chad Seaman, a senior engineer at Akamai, a\r\ncompany that specializes in helping firms weather large DDoS attacks (Akamai protected KrebsOnSecurity from\r\nhundreds of attacks prior to the large Mirai assault last year).\r\nThe identical press release that Akamai and other firms involved in the WireX takedown agreed to publish says the\r\nbotnet infected a minimum of 70,000 Android systems, but Seaman says that figure is conservative.\r\n“Seventy thousand was a safe bet because this botnet makes it so that if you’re driving down the highway and\r\nyour phone is busy attacking some website, there’s a chance your device could show up in the attack logs with\r\nthree or four or even five different Internet addresses,” Seaman said in an interview with KrebsOnSecurity. “We\r\nsaw attacks coming from infected devices in over 100 countries. It was coming from everywhere.”\r\nBUILDING ON MIRAI\r\nhttps://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/\r\nPage 2 of 5\n\nSecurity experts from Akamai and other companies that participated in the WireX takedown say the basis for their\r\ncollaboration was forged in the monstrous and unprecedented distributed denial-of-service (DDoS) attacks\r\nlaunched last year by Mirai, a malware strain that seeks out poorly-secured “Internet of things” (IoT) devices such\r\nas security cameras, digital video recorders and Internet routers.\r\nThe first and largest of the Mirai botnets was used in a giant attack last September that knocked this Web site\r\noffline for several days. Just a few days after that — when the source code that powers Mirai was published online\r\nfor all the world to see and use — dozens of copycat Mirai botnets emerged. Several of those botnets were used to\r\nconduct massive DDoS attacks against a variety of targets, leading to widespread Internet outages for many top\r\nInternet destinations.\r\nAllison Nixon, director of security research at New York City-based security firm Flashpoint, said the Mirai\r\nattacks were a wake-up call for the security industry and a rallying cry for more collaboration.\r\na bunch of us realized that we needed to deal with this thing because if we didn’t it would just keep\r\ngetting bigger and rampaging around\r\n“When those really large Mirai DDoS botnets started showing up and taking down massive pieces of Internet\r\ninfrastructure, that caused massive interruptions in service for people that normally don’t deal with DDoS\r\nattacks,” Nixon said. “It sparked a lot of collaboration. Different players in the industry started to take notice, and\r\na bunch of us realized that we needed to deal with this thing because if we didn’t it would just keep getting bigger\r\nand rampaging around.”\r\nMirai was notable not only for the unprecedented size of the attacks it could launch but also for its ability to\r\nspread rapidly to new machines. But for all its sheer firepower, Mirai is not a particularly sophisticated attack\r\nplatform. Well, not in comparison to WireX, that is.\r\nCLICK-FRAUD ORIGINS\r\nAccording to the group’s research, the WireX botnet likely began its existence as a distributed method for\r\nconducting “click fraud,” a pernicious form of online advertising fraud that will cost publishers and businesses an\r\nestimated $16 billion this year, according to recent estimates. Multiple antivirus tools currently detect the WireX\r\nmalware as a known click fraud malware variant.\r\nThe researchers believe that at some point the click-fraud botnet was repurposed to conduct DDoS attacks. While\r\nDDoS botnets powered by Android devices are extremely unusual (if not unprecedented at this scale), it is the\r\nbotnet’s ability to generate what appears to be regular Internet traffic from mobile browsers that strikes fear in the\r\nheart of experts who specialize in defending companies from large-scale DDoS attacks.\r\nDDoS defenders often rely on developing custom “filters” or “signatures” that can help them separate DDoS\r\nattack traffic from legitimate Web browser traffic destined for a targeted site. But experts say WireX has the\r\ncapability to make that process much harder.\r\nThat’s because WireX includes its own so-called “headless” Web browser that can do everything a real, user-driven browser can do, except without actually displaying the browser to the user of the infected system.\r\nhttps://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/\r\nPage 3 of 5\n\nAlso, Wirex can encrypt the attack traffic using SSL — the same technology that typically protects the security of\r\na browser session when an Android user visits a Web site which requires the submission of sensitive data. This\r\nadds a layer of obfuscation to the attack traffic, because the defender needs to decrypt incoming data packets\r\nbefore being able to tell whether the traffic inside matches a malicious attack traffic signature.\r\nTranslation: It can be far more difficult and time-consuming than usual for defenders to tell WireX traffic apart\r\nfrom clicks generated by legitimate Internet users trying to browse to a targeted site.\r\n“These are pretty miserable and painful attacks to mitigate, and it was these kinds of advanced functionalities that\r\nmade this threat stick out like a sore thumb,” Akamai’s Seaman said.\r\nNOWHERE TO HIDE\r\nTraditionally, many companies that found themselves on the receiving end of a large DDoS attack sought to\r\nconceal this fact from the public — perhaps out of fear that customers or users might conclude the attack\r\nsucceeded because of some security failure on the part of the victim.\r\nBut the stigma associated with being hit with a large DDoS is starting to fade, Flashpoint’s Nixon said, if for no\r\nother reason than it is becoming far more difficult for victims to conceal such attacks from public knowledge.\r\n“Many companies, including Flashpoint, have built out different capabilities in order to see when a third party is\r\nbeing DDoS’d,” Nixon said. “Even though I work at a company that doesn’t do DDoS mitigation, we can still get\r\nvisibility when a third-party is getting attacked. Also, network operators and ISPs have a strong interest in not\r\nhaving their networks abused for DDoS, and many of them have built capabilities to know when their networks\r\nare passing DDoS traffic.”\r\nJust as multiple nation states now employ a variety of techniques and technologies to keep tabs on nation states\r\nthat might conduct underground tests of highly destructive nuclear weapons, a great deal more organizations are\r\nnow actively looking for signs of large-scale DDoS attacks, Seaman added.\r\n“The people operating those satellites and seismograph sensors to detect nuclear [detonations] can tell you how\r\nbig it was and maybe what kind of bomb it was, but they probably won’t be able to tell you right away who\r\nlaunched it,” he said. “It’s only when we take many of these reports together in the aggregate that we can get a\r\nmuch better sense of what’s really going on. It’s a good example of none of us being as smart as all of us.”\r\nAccording to the WireX industry consortium, the smartest step that organizations can take when under a DDoS\r\nattack is to talk to their security vendor(s) and make it clear that they are open to sharing detailed metrics related\r\nto the attack.\r\n“With this information, those of us who are empowered to dismantle these schemes can learn much more about\r\nthem than would otherwise be possible,” the report notes. “There is no shame in asking for help. Not only is there\r\nno shame, but in most cases it is impossible to hide the fact that you are under a DDoS attack. A number of\r\nresearch efforts have the ability to detect the existence of DDoS attacks happening globally against third parties\r\nno matter how much those parties want to keep the issue quiet. There are few benefits to being secretive and\r\nnumerous benefits to being forthcoming.”\r\nhttps://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/\r\nPage 4 of 5\n\nIdentical copies of the WireX report and Appendix are available at the following links:\r\nFlashpoint\r\nAkamai\r\nCloudflare\r\nRiskIQ\r\nSource: https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/\r\nhttps://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/" ], "report_names": [ "tech-firms-team-up-to-take-down-wirex-android-ddos-botnet" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434361, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/30e4da67b1ad3e8da12b3390fe87ae36056d6f02.pdf", "text": "https://archive.orkl.eu/30e4da67b1ad3e8da12b3390fe87ae36056d6f02.txt", "img": "https://archive.orkl.eu/30e4da67b1ad3e8da12b3390fe87ae36056d6f02.jpg" } }