User agent switcher to bypass drive by?

Hey guys, I know that some exploits/drive-by on websites check for your browser (user agent) and use exploits according to your browser. Now I thought, why not simply faking the User Agent (so e.g. I have firefox and change the user agent to chrome/safari/opera or even googlebot) ? They would try to exploit / drive-by a safari browser altough I have firefox.. which means that most exploit won't work at all?

Would there be any negative effect? E.g. sites not working properly ?

Thanks

 

Some sites may not work properly. Especially if you spoof OS, which you may want to consider doing. At one point I had it so that my Windows 7 Chrome showed 64bit Linux Safari.

I don't know if it would prevent an exploit but I can see it happening.

 

Ye I also thought about websites which won't work properly anymore. So I thought I would fake it to something completely unknown? So instead of telling "chrome Linux x64" I would use "fake OS x1337". That why the website should show some "standard" version which is supposed to work with 99% of browsers?

I use "user agent switcher" addon in firefox.. soon they will add an "exception" list for websites. So in case I find a website which isn't working I would just add it on the exception list (in case I trust the website).

 

I would put a legitimate OS/ browser. If it's obviously fake/ the exploit page doesn't have it there'll be different results - it may try all exploits or try other methods of detection. I really don't know.

 

Hmm you have a point there..

@edit: Using a "known" browser might also increase the chance of having working websites.

I just changed it to chrome 15 Ubuntu.. now It shows html5 support, gecko engine, etc.. All that was shown as "not supported" or "poort" with my random user agent. At the same time I wonder if there are exploits for the "gecko" engine and if they would work across browser and OS platforms

 

The well known exploit kits will throw everything + the kitchen sink at your PC regardless of any type of spoofing.

 

I'd love for someone on Wilders to test it out and see.

 

I agree. If I would have access to any of the big/good exploit kits I would do it :S

 

There are 2 types of exploit sites. "Sophisticated" sites may tailor the exploits they send you based on your user agent. But other sites will just send the exploits they host, no matter if they are compatible.

If your browser is vulnerable to one of these, you get owned regardless of your incorrect user agent.

So the user agent trick would only help defend from sophisticated attack sites. And if protection doesn't work on all sites, it really isn't protection.

 

What protection works on all sites?

 

I'd say sanboxing or general security (HIPS,BB).

 

Remember, I am the guy who made Light Point Security. You started a thread a while back about us.

For those that don't know, our product Light Point Web allows you to browse all sites from a one-time-use virtual machine in the cloud. This is my idea of total coverage from web based malware, but obviously I am biased.

 

Ah yes, hard to keep track sometimes haha.

Yeah, I would call that the tightest protection available in terms of protecting a web browser.

 

drive-by dont care about user agent - they care about javascript+java+pdf or javascript+java+flash.

java is still vulnerable and from my view needless.
disable at all and only allow on special sites - whats not present cant be attacked.
(same for LUA at windows)

 

Hmm.. what about those "exploit-pack sites" ? I see them getting sold on some forums.. containing 200 exploits. I don't think when you visit the website which contains those exploit will try all 200 exploits?

 

This can be applied to much more than java. There's a lot of assumption used in exploits, generic example:
If the OS is #3 and is using browser X, then target file A should be at this location and thread XX should be at location 20 in memory.
If the file or memory targets are absent, isolated or relocated, the exploit becomes a shot in the dark.

 

Blocking scripts --> malicious scripts can't run.

 

not really - script filter can only control what they recognize.
disabling java/flash is best
eg. for firefox https://addons.mozilla.org/de/firefox/addon/toolbar-buttons/

 

Hmm... not sure I follow (partly because I don't speak German- LOL). What's in that toolbar button? Noscript? Something like notscripts or noscript will only allow whitelisted scripts to run. Those aren't filters as much as they're blockers. So whether the browser recognizes which script it is would be irrelevant. Script not whitelisted = script not running.

Are you saying that there are scripts that the browser wouldn't recognize as a script?