Altering browser agent string and/or OS string as AV strategy?

Altering browser agent string and/or OS string as AV strategy?
Secure Home | Search | About
Login Password
Register Now! Lost Password?

Anti-Virus Software - Computer security - anti-virus software 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Altering browser agent string and/or OS string as AV strategy? Virus Guy 06-25-2009
Posted by Virus Guy on June 25, 2009, 8:52 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Many malware servers use the information in the browser agent string to
determine what operating system the user is using and delivers payload
code specifically crafted for that OS.

Why doesn't third-party AV and/or browser-protection software give the
user the choice of altering that string so that malware servers end up
delivering the wrong exploit code to the end user?

Or does typical browsing on legit websites rely too much on this string
to use it as an anti-malware strategy?

Or is it just to hard / difficult to alter this string (for whatever
reason) ?

Posted by Char Jackson on June 25, 2009, 11:33 am
If you were  Registered and logged in, you could reply and use other advanced thread options

>Many malware servers use the information in the browser agent string to
>determine what operating system the user is using and delivers payload
>code specifically crafted for that OS.
>
>Why doesn't third-party AV and/or browser-protection software give the
>user the choice of altering that string so that malware servers end up
>delivering the wrong exploit code to the end user?
>
>Or does typical browsing on legit websites rely too much on this string
>to use it as an anti-malware strategy?
>
>Or is it just to hard / difficult to alter this string (for whatever
>reason) ?

Here are a couple of popular ways to change the User Agent string when
using Firefox.

User Agent Switcher https://addons.mozilla.org/en-US/firefox/addon/59
Header Control https://addons.mozilla.org/en-US/firefox/addon/11327



Posted by Singapore Computer Service on June 25, 2009, 11:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello,

Symantec Endpoint does allow altering the user agent to a fixed 'IE 999.1'
(or something similar) string but warns that some websites may not work
properly when enabled. And it is true, once enabled, visits to Yahoo.com
immediately reverted to a basic functionality site asking users to upgrade
to newer browser

So having this option on by default can cause problems for users who aren't
aware of its implications on sites like Yahoo.
___
http://www.bootstrike.com/ComputerService/
Singapore Computer Home Remote On-Site Repair Service
> Many malware servers use the information in the browser agent string to
> determine what operating system the user is using and delivers payload
> code specifically crafted for that OS.
>
> Why doesn't third-party AV and/or browser-protection software give the
> user the choice of altering that string so that malware servers end up
> delivering the wrong exploit code to the end user?
>
> Or does typical browsing on legit websites rely too much on this string
> to use it as an anti-malware strategy?
>
> Or is it just to hard / difficult to alter this string (for whatever
> reason) ?



Posted by David W. Hodgins on June 25, 2009, 11:58 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> Or does typical browsing on legit websites rely too much on this string
> to use it as an anti-malware strategy?

Yes.

> Or is it just to hard / difficult to alter this string (for whatever
> reason) ?

Opera has options to alter the user-agent string to make it look like
firefox, or internet explorer. This can be set on a per site basis,
and is needed because many website coders choose what to send the
browser based on which browser/version is being used, instead of
learning how to detect what features the browser supports.

It's easy to use proxy software, such as proximitron to alter the
agent, but it causes more problems then it's worth.

Regards, Dave Hodgins


--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Posted by Virus Guy on June 27, 2009, 9:13 am
If you were  Registered and logged in, you could reply and use other advanced thread options
"David W. Hodgins" wrote:

> > Or does typical browsing on legit websites rely too much on this
> > string to use it as an anti-malware strategy?
>
> Yes.

There are two components in the user browser string:

1) The browser is being used
2) The OS is being used

Is it possible (or useful) to fake *one* of those two to protect a
system against (some) malware payloads and yet not interfere with normal
web browsing?

For example, would faking only the OS component of the string accomplish
that?

Similar ThreadsPosted
Re: Altering browser agent string and/or OS string as AV str June 28, 2009, 6:50 am
Re: Altering browser agent string and/or OS string as AV str June 28, 2009, 9:50 am
Is a single souced AV package a valid strategy August 5, 2005, 7:59 am
Browser redirect, browser crashes March 28, 2010, 3:33 pm
Bck/Agent.AYC January 19, 2006, 10:52 am
Re: Proxy-Agent.aj February 10, 2007, 7:30 am
Proxy-Agent.aj February 10, 2007, 7:31 am
Win32.Agent.wsg November 16, 2009, 11:06 am
Trojan.win32.agent.em June 5, 2005, 7:41 pm
Trojan.Win32.Agent January 27, 2006, 2:52 pm

The site map in XML format XML site map

Contact Us | Privacy Policy