Researchers are facing rigorous entry to sites due to malware tracking more IP addresses and user-agents.
According to research by Websense Security Labs, malicious Web pages are tracking more and more visting IP addresses and user-agents and randomizing the content served so that they can prevent security companies and other researchers from proper analysis.
Following analysis of malicious Flash files, the company investigated a situation where upon receiving a SWF linked URL in an email and clicking it, a user was automatically redirected to a spam Web site. When GNU's Wget utility was used to fetch the page, a ‘403 forbidden' response was received.
Websense initially thought that either the attackers had blacklisted the location or that they had checked all the HTTP header attributes. After the cookie was set it seemed as though the transaction was being conducted as if a user clicked on the swf file as opposed to visiting the page with a simulated browser (Wget).
Security Researcher Stephan Chenette, wrote: “In order to verify this, I wrote a quick PERL script (zipped copy). First, I put all the headers a server would expect if a user were to click on the the swf file and be directed to the spam Web site. I received a ‘200 OK' server response with the spam content.
“I then tried to verify that the server was looking at the HTTP REFERER, but was surprised to see that the response was the same with or without the correct REFERER. After playing with the headers for a few minutes, I noticed that it was simply looking at the user-agent. If the user-agent was Wget, it returned ‘403 Forbidden'.
“A simple thing to do on the research side of things is to create programs using LWP or curl to randomize your headers to look more like a real browser. Alternatively you could just change the user-agent in Wget using the ‘-U' option, but it may take more than this in the future.”
Carl Leonard, security research manager at Websense Security Labs, said: “We have some systems that can retrieve e-content but some give a 403 code. On further analysis it showed that when using the Wget content retrieval tool the malware author was looking for the use of Wget and so delivered a failure. It is akin to a grocers, if the shopkeeper sees and recognises you he decides whether to give you a good apple or a poisoned apple.