When good URLs are bad for business

Analyzing memory dumps comes with a price – ‘good’ information overload. One that annoys me a lot is running URl/domain extraction tools over the memdump and finding tones of legitimate URLs that make it harder to find the juicy stuff I am after. I mean, things like:

  • http://www.w3.org/2001/XMLSchema-instance
  • http://www.w3.org/2000/svg
  • http://www.w3.org/1999/xlink
  • http://www.w3.org/XML/1998/namespace
  • http://www.w3.org/1999/xhtml
  • http://www.w3.org/2000/xmlns/
  • http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd
  • http://update.microsoft.com
  • http://schemas.microsoft.com/rtc/2009/05/simplejoinconfdoc

There is a lot of ‘good’ URLs embedded in manifests, various resources (e.g. HTML/XML/Json/CSS files), certificates, and many are introduced as a side-effect of linking with static libraries that often include copyright information and URL to author’s page. And of course, there is vendor information either directly in the resources or in binary or its config files.

Not only memory dump analysis suffer from it. The same goes for network log analysis – lots of requests that ‘hide’ the juicy stuff are related to authentication checks, downloads from certificate stores, etc..

In an effort to help with analysis I started building a small repository of these ‘good’ URL (at the moment primarily related to certificates). I extracted these from my ‘good’ sample repository so I believe all of them are legitimate. If you find any error, please let me know.

You can download the repo here.

Monitoring unapproved apps/PUA/PUP/downware using default User Agents used by Installers

While looking at the user agent list I shared today, I thought it might be an interesting idea to monitor unapproved/PUA/PUP/downware applications by paying attentions to all downloads that are leveraging the default user agents used by common installation packages, or the associated libraries (f.ex. inetc.dll used by Nullsoft packages).

Reviewing the list I came across a few low-hanging fruits:

  • AdvancedInstaller
  • Inno Setup Downloader
  • InnoTools_Downloader
  • InstallMaker
  • NSIS_Inetc (Mozilla)
  • NSIS_InetLoad (Mozilla)
  • NSIS_ToolkitOffers (Mozilla)
  • NSISDL/1.2 (Mozi
  • NSISDL/1.2 (Mozilla)
  • Setup Factory
  • Setup Factory 8.0
  • Setup Factory 9.0
  • TryMedia_DM_2.0.0

Monitoring these may not only help to discover people installing unapproved applications, PUA/PUPs/downware, but also potentially malware spreading using popular installers.

Obviously, many dodgy apps use dedicated/proprietary downloaders and it’s not difficult to change the default user agent, so there are still some gaps here, but I believe the value is there and this could become yet another alert helping to protect ‘open internet’ environments.