Figure 5. 60 seconds C&C polling interval

However, although the malware is still evolving, it has good market differentiation in its HTTP functionality. Being based on Android’s WebView class, the thingbot is better equipped with browser-like functionality, making it more resistant to various bot challenges, such as cookie support, redirects, and JavaScript, which are still an obstacle for many DDoS malwares.

At those stages, the mitigation is quite simple because there are streaming HTTP request patterns, such as the empty “X-Requested-With” header, which is also sent in lowercase, although it’s uppercase in the code. Also, although the bot supports JavaScript processing, it isn’t able to pass more sophisticated browser challenges that rely on more advanced browser integrity checks.

Behavioral DDoS solutions will relatively easily spot the random user-agent strings and additional anomalies in the HTTP requests sent by the botnet.

The WireX malware still seems to be in its QA phase, judging by the many slightly different variants in the wild and the limited attack types and functionality it currently provides. Stay tuned for further developments.