The WireX Botnet: How Industry Collaboration Disrupted a DDoS Attack

On August 17th, 2017, multiple Content Delivery Networks (CDNs) and content providers were subject to significant attacks from a botnet named WireX. The botnet primarily consists of Android devices running malicious applications designed to create DDoS traffic. Researchers from various organizations collaborated to combat this botnet, which was active as early as August 2nd. The attack traffic generated by the botnet is primarily HTTP GET requests resembling valid requests from generic HTTP clients and web browsers. The majority of the traffic from this botnet was distinguished by the use of an HTTP Request's User-Agent string containing random lowercase English alphabet characters. The malware was distributed through various Android applications, some disguised as media/video players, ringtones or tools such as storage managers and app stores. Google removed hundreds of affected applications from its Play Store and started the process to remove them from all devices.