Malware forges HTTP user-agent values


This week I saw “Mozilla/0.6 Beta (Windows) advertised by a system in the Ukraine that has been attacking me for two weeks. That version was released December 8, 2000 (15 years ago). The same system also advertised “Mozilla/4.0” a few hours later. Yeesh! Malware writers are morons.

I recently reported a HTTP (i.e., web server) attack to a small business owner whose network was infected by malware. Their abuse contact told me that the attack couldn’t have come from their network because

We only use Mac or Linux workstations. The Windows machines that come into our office for repair or virus removal are not connected to the network before going though the cleaning process.

That assertion was based on the fact that the log entries for the attack included a user-agent string that implicated a machine running some version of MS-Windows. Even after I attempted to educate him about malware he failed to understand that malware forges HTTP user-agent strings. To make that crystal clear below are the user-agent strings I saw from the most recent attack guess WordPress account credentials on my Blog. The attack came from fourteen computers in Italy. I know this because I have set LogLevel dumpio:trace7 in my httpd.conf config so I can see the entire request of each attack and am able to confirm that every POST /wp-login.php request was attempting to guess account credentials.

These are the fourteen user-agent strings I saw from that attack:

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.31 (KHTML like Gecko) Chrome/26.0.1410.64 Safari/537.31
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML like Gecko) Chrome/35.0.1916.114 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML like Gecko) Chrome/26.0.1410.43 Safari/537.31
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/27.0.1453.110 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/30.0.1599.69 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/33.0.1750.146 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/33.0.1750.117 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MAARJS)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)

I’ve also seen numerous attacks from companies selling hosting on Linux servers that specify HTTP user-agent strings that imply a computer running MS-Windows of some flavor.

This is not the first time I’ve been told by some ignorant tech support person that I must be mistaken because they don’t use that browser or operating system. That someone like my mother would be that ignorant of computer malware is unsurprising. That people managing the computer security of a company are that ignorant goes a long way to explaining why malware is so prevalent.