Malicious codes are being used to track IP addresses and user-agents

News by Dan Raywood

Researchers are facing rigorous entry to sites due to malware tracking more IP addresses and user-agents.

Researchers are facing rigorous entry to sites due to malware tracking more IP addresses and user-agents.


According to research by Websense Security Labs, malicious Web pages are tracking more and more visting IP addresses and user-agents and randomizing the content served so that they can prevent security companies and other researchers from proper analysis.


Following analysis of malicious Flash files, the company investigated a situation where upon receiving a SWF linked URL in an email and clicking it, a user was automatically redirected to a spam Web site. When GNU's Wget utility was used to fetch the page, a ‘403 forbidden' response was received.


Websense initially thought that either the attackers had blacklisted the location or that they had checked all the HTTP header attributes. After the cookie was set it seemed as though the transaction was being conducted as if a user clicked on the swf file as opposed to visiting the page with a simulated browser (Wget).


Security Researcher Stephan Chenette, wrote: “In order to verify this, I wrote a quick PERL script (zipped copy). First, I put all the headers a server would expect if a user were to click on the the swf file and be directed to the spam Web site. I received a ‘200 OK' server response with the spam content.


“I then tried to verify that the server was looking at the HTTP REFERER, but was surprised to see that the response was the same with or without the correct REFERER. After playing with the headers for a few minutes, I noticed that it was simply looking at the user-agent. If the user-agent was Wget, it returned ‘403 Forbidden'.


“A simple thing to do on the research side of things is to create programs using LWP or curl to randomize your headers to look more like a real browser. Alternatively you could just change the user-agent in Wget using the ‘-U' option, but it may take more than this in the future.”


Carl Leonard, security research manager at Websense Security Labs, said: “We have some systems that can retrieve e-content but some give a 403 code. On further analysis it showed that when using the Wget content retrieval tool the malware author was looking for the use of Wget and so delivered a failure. It is akin to a grocers, if the shopkeeper sees and recognises you he decides whether to give you a good apple or a poisoned apple.


“The malware author sees the person trying to access it and agrees on whether or not to present them with the malware. One technique used by malware authors is to use javascript obfuscation to make code not as easily readable for humans, and it is just a case that users need to be aware that it is happening and to be aware of techniques, these are being used and they need to question the vendor as to how they are getting around problems.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews