What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  TrustedSource™ Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Trojan.BHO.QW2008-11-20
Trojan.Dldr.Agent.amzp2008-11-20
Trojan.PSW.Nilage.bvl.12008-11-19
Trojan.PSW.Online.cfd2008-11-19
Win32.Chir.B2008-11-13
Trojan.Agent.ahze2008-11-12
View Malware Library
 

TrustedSource™ Blog

Tell me your User-Agent and we may not infect you

September 9th, 2008

One of the awkward “free giveaways” of additional payloads in today’s malware is the rise of Rogue Anti-Spyware products. These misleading applications scare the user with fake messages, telling that the system is infected with malware. In order to be able to remove the fake threats it has to be paid for - that’s where your money is supposed to go.

But today we found an interesting malicious script from a SQL Injection attack - another rising malware trend this year. The dissected web site carried over 120 script references pointing to exploit sites. Some of the domains no longer exist, so it seems that the previously legitimate website was infected over and over again.

The malicious script in question checks for the presence of an infection mark string in the browser’s User-Agent. If it is not found, the browser is redirected via an invisible IFRAME to another exploit script trying to install malware. But when the string is found, nothing will happen. So a browser containing the modified User-Agent is not infected.

Obviously the fake product itself will add this string. Samples from the last months, blocked as “Trojan.Dropper.FraudTool.XPAntivirus” by the Secure Anti-Malware Engine, do exactly this. The malware creates a registry key under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform and the Internet Explorer gets a new string appended to its name. So when surfing the web a network trace will reveal the modification as shown in the following screenshot.

And this is used by the attackers as shown in the script’s screenshot at the top. They know about this kind of infection marker and don’t want to infect a user again. And if you are curious about which malware you get from the SQL Injection attack when you are not infected: it’s the “XP SecurityCenter” - just another Rogue Anti-Spyware threat.


Author: Anti-Malware Team

Back to TrustedSource™ Blog overview

Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

ANY INFORMATION PROVIDED BY SECURE COMPUTING ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL SECURE COMPUTING BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. SECURE COMPUTING HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.