User agent switcher to bypass drive by?

Discussion in 'other anti-malware software' started by zakazak, Jan 6, 2012.

Thread Status:
Not open for further replies.
  1. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Hey guys, I know that some exploits/drive-by on websites check for your browser (user agent) and use exploits according to your browser. Now I thought, why not simply faking the User Agent (so e.g. I have firefox and change the user agent to chrome/safari/opera or even googlebot) ? They would try to exploit / drive-by a safari browser altough I have firefox.. which means that most exploit won't work at all?

    Would there be any negative effect? E.g. sites not working properly ?

    Thanks
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Some sites may not work properly. Especially if you spoof OS, which you may want to consider doing. At one point I had it so that my Windows 7 Chrome showed 64bit Linux Safari.

    I don't know if it would prevent an exploit but I can see it happening.
     
  3. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Ye I also thought about websites which won't work properly anymore. So I thought I would fake it to something completely unknown? So instead of telling "chrome Linux x64" I would use "fake OS x1337". That why the website should show some "standard" version which is supposed to work with 99% of browsers?

    I use "user agent switcher" addon in firefox.. soon they will add an "exception" list for websites. So in case I find a website which isn't working I would just add it on the exception list (in case I trust the website).
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I would put a legitimate OS/ browser. If it's obviously fake/ the exploit page doesn't have it there'll be different results - it may try all exploits or try other methods of detection. I really don't know.
     
  5. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Hmm you have a point there..

    @edit: Using a "known" browser might also increase the chance of having working websites.

    I just changed it to chrome 15 Ubuntu.. now It shows html5 support, gecko engine, etc.. All that was shown as "not supported" or "poort" with my random user agent. At the same time I wonder if there are exploits for the "gecko" engine and if they would work across browser and OS platforms :eek:
     
  6. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    648
    Location:
    Sydney Australia
    The well known exploit kits will throw everything + the kitchen sink at your PC regardless of any type of spoofing.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I'd love for someone on Wilders to test it out and see.
     
  8. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    I agree. If I would have access to any of the big/good exploit kits I would do it :S
     
  9. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    There are 2 types of exploit sites. "Sophisticated" sites may tailor the exploits they send you based on your user agent. But other sites will just send the exploits they host, no matter if they are compatible.

    If your browser is vulnerable to one of these, you get owned regardless of your incorrect user agent.

    So the user agent trick would only help defend from sophisticated attack sites. And if protection doesn't work on all sites, it really isn't protection.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    What protection works on all sites?
     
  11. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    I'd say sanboxing or general security (HIPS,BB).
     
  12. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Remember, I am the guy who made Light Point Security. You started a thread a while back about us.

    For those that don't know, our product Light Point Web allows you to browse all sites from a one-time-use virtual machine in the cloud. This is my idea of total coverage from web based malware, but obviously I am biased. ;)
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Ah yes, hard to keep track sometimes haha.

    Yeah, I would call that the tightest protection available in terms of protecting a web browser.
     
  14. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,178
    drive-by dont care about user agent - they care about javascript+java+pdf or javascript+java+flash.

    java is still vulnerable and from my view needless.
    disable at all and only allow on special sites - whats not present cant be attacked.
    (same for LUA at windows)
     
  15. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Hmm.. what about those "exploit-pack sites" ? I see them getting sold on some forums.. containing 200 exploits. I don't think when you visit the website which contains those exploit will try all 200 exploits?
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    :thumb:
    This can be applied to much more than java. There's a lot of assumption used in exploits, generic example:
    If the OS is #3 and is using browser X, then target file A should be at this location and thread XX should be at location 20 in memory.
    If the file or memory targets are absent, isolated or relocated, the exploit becomes a shot in the dark.
     
  17. BrandiCandi

    BrandiCandi Guest

    :thumb:
    Blocking scripts --> malicious scripts can't run.
     
  18. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,178
  19. BrandiCandi

    BrandiCandi Guest

    Hmm... not sure I follow (partly because I don't speak German- LOL). What's in that toolbar button? Noscript? Something like notscripts or noscript will only allow whitelisted scripts to run. Those aren't filters as much as they're blockers. So whether the browser recognizes which script it is would be irrelevant. Script not whitelisted = script not running.

    Are you saying that there are scripts that the browser wouldn't recognize as a script?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.