You are browsing the archive for Proxy Logs Analysis.

Monitoring unapproved apps/PUA/PUP/downware using default User Agents used by Installers

December 20, 2015 in Batch Analysis, Clustering, Forensic Analysis, Incident Response, Proxy Logs Analysis

While looking at the user agent list I shared today, I thought it might be an interesting idea to monitor unapproved/PUA/PUP/downware applications by paying attentions to all downloads that are leveraging the default user agents used by common installation packages, or the associated libraries (f.ex. inetc.dll used by Nullsoft packages).

Reviewing the list I came across a few low-hanging fruits:

  • AdvancedInstaller
  • Inno Setup Downloader
  • InnoTools_Downloader
  • InstallMaker
  • NSIS_INETC
  • NSIS_Inetc (Mozilla)
  • NSIS_InetLoad (Mozilla)
  • NSIS_ToolkitOffers (Mozilla)
  • NSISDL/1.2 (Mozi
  • NSISDL/1.2 (Mozilla)
  • Setup Factory
  • Setup Factory 8.0
  • Setup Factory 9.0
  • TryMedia_DM_2.0.0

Monitoring these may not only help to discover people installing unapproved applications, PUA/PUPs/downware, but also potentially malware spreading using popular installers.

Obviously, many dodgy apps use dedicated/proprietary downloaders and it’s not difficult to change the default user agent, so there are still some gaps here, but I believe the value is there and this could become yet another alert helping to protect ‘open internet’ environments.

Santa’s bag full of User Agents

December 20, 2015 in Batch Analysis, Clustering, Compromise Detection, Forensic Analysis, Incident Response, Proxy Logs Analysis

Santa dropped some user agents on the DFIR/RCE community today.

It is similar to other lists shared before:

The list includes over 6K user agents used by samples I sandboxed. There is no guarantee all of them are malicious, so be aware that adding them blindly to some block lists will cause a lot of issues.

If you find any mistakes, please let me know. As mentioned above, this list SHOULD NOT be taken at its face value as there are a lot of ways for it to get contaminated.

Note: the list contains variables (I hope they are self-explanatory 🙂 ):

  • <COMPUTER NAME>
  • <IP>
  • <MAC>
  • <SAMPLE NAME>
  • <USER NAME>