Another user-agent to blacklist: “Proxy Gear Pro/2.1”
On 2015-06-01 I saw my first attack using the user agent “Proxy Gear Pro/2.1 (Windows; N; Windows NT 6.1; en)“. The request was “GET http://impuls.name/pgpro/getheaders3.php?test=bf2c347a6b<br /> 8ea868ec3dcbf221e75565&auth=1CBE595CB00AF HTTP/1.1“. A bit of Googling suggests this is software from Russian hackers that can be used to find exploitable HTTP proxies and/or act as a proxy. I’ve added it to my blacklisted user-agent rules:
# Block ZmEu and other bots based on their user agent signature. Another sign
# that hackers aren't as smart as they think they are. Note the first
# condition. A quoted user-agent string is another sign of a sloppy hacker. No
# legitimate browser or web crawler quotes the user-agent string.
RewriteCond %{HTTP_USER_AGENT} ^" [OR]
RewriteCond %{HTTP_USER_AGENT} =x00_-gawa.sa.pilipinas.2015 [OR]
RewriteCond %{HTTP_USER_AGENT} =ZmEu [OR]
RewriteCond %{HTTP_USER_AGENT} =immoral [OR]
RewriteCond %{HTTP_USER_AGENT} =XML-RPC.NET [OR]
RewriteCond %{HTTP_USER_AGENT} Jorgee [OR]
RewriteCond %{HTTP_USER_AGENT} ^PHP/5\.{ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*\stools.ua.random [OR]
RewriteCond %{HTTP_USER_AGENT} ^chroot [OR]
RewriteCond %{HTTP_USER_AGENT} ^DataCha0s [OR]
RewriteCond %{HTTP_USER_AGENT} ^I'm\sa\smu\smu [OR]
RewriteCond %{HTTP_USER_AGENT} ^\(\)\s{ [OR]
RewriteCond %{HTTP_USER_AGENT} ^q\[ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Morfeus\sFucking\sScanner [OR]
RewriteCond %{HTTP_USER_AGENT} ^Proxy\sGear\sPro
RewriteRule ^ /blocked.php [END,E=error-notes:blacklisted-user-agent]
So far I’ve seen this user-agent from four addresses: one in Georgia (the country), one in the Ukraine, one in Russia (domain “blackrobber.ru”), and one in the USA (privateinternetaccess.com). The latter is a VPN provider. Malware using VPN services or the ToR network is something I’m starting to see more of — whether that’s intentional by the malware or just an artifact of how the infected computers are configured is unknown.