Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: AliExpress being used as C&C for DoS? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
AliExpress being used as C&C for DoS?
This is the second time in the last couple months I have discovered a user with the AliExpress Android app installed on their device with outgoing traffic being labeled as "SSL_HELLO_Msg_DoS". Both times the user claims to have NOT been using this application but it shows on their device as using data recently without being active in the background.

Our IPS shows the outgoing traffic to the following IP addresses:
140.205..195.53 (China)
47.88.68.98 (Alibaba - San Francisco)

Everything I can find on the SSL_HELLO_Msg_DoS signature is that it i an old attack and most likely not effective anymore.

Does anyone think this is just valid traffic being identified incorrectly , or is something else going on here. I only have the events form our IPS to investigate and no packet captures.

Both users have deleted the application from their devices.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!