WireX DDoS Android Malware Question

Viewing 0 reply threads
  • Author
    Posts
    • #175354
      devilindisguise
      Participant

      Hello everyone

      I help to manage a WAF in my organisation and we get approximately 2000 log entries per month, mainly on our main corporate website’s WAF policy, that trigger a signature that concerns the WireX DDoS Android Malware. Here is an example request (headers only):

      GET
      /blah/blah/blah
      HTTP/1.1
      Host: http://www..com
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      Upgrade-Insecure-Requests: 1
      User-Agent: Mozilla/5.0 (Linux; Android 9; SM-A102U Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36
      Sec-Fetch-Dest: document
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
      accept-language: en
      x-requested-with:
      content-language: en
      Sec-Fetch-Site: none
      Sec-Fetch-Mode: navigate
      Sec-Fetch-User: ?1
      Referer: https://inbrowserapp.com/redirect
      Accept-Encoding: gzip, deflate

      I believe the empty x-requested-with: header is what is triggering this signature.

      My question for you is – is this still a concern? Should we still continue to block these requests or based on what you see above, could this be a false positive?

      Thank you.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?