{"id":3438,"date":"2015-12-20T16:53:55","date_gmt":"2015-12-20T16:53:55","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3438"},"modified":"2015-12-20T16:53:55","modified_gmt":"2015-12-20T16:53:55","slug":"monitoring-unapproved-appspuapupdownware-using-default-user-agents-used-by-installers","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/12\/20\/monitoring-unapproved-appspuapupdownware-using-default-user-agents-used-by-installers\/","title":{"rendered":"Monitoring unapproved apps\/PUA\/PUP\/downware using default User Agents used by Installers"},"content":{"rendered":"<p>While looking at the user agent list I shared <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/12\/20\/santas-bag-full-of-user-agents\/\">today<\/a>, I thought it might be an interesting idea to monitor unapproved\/PUA\/PUP\/downware applications by paying attentions to all downloads that are leveraging the default user agents used by common installation packages, or the associated libraries (f.ex. inetc.dll used by Nullsoft packages).<\/p>\n<p>Reviewing the list I came across a few low-hanging fruits:<\/p>\n<ul>\n<li>AdvancedInstaller<\/li>\n<li>Inno Setup Downloader<\/li>\n<li>InnoTools_Downloader<\/li>\n<li>InstallMaker<\/li>\n<li>NSIS_INETC<\/li>\n<li>NSIS_Inetc (Mozilla)<\/li>\n<li>NSIS_InetLoad (Mozilla)<\/li>\n<li>NSIS_ToolkitOffers (Mozilla)<\/li>\n<li>NSISDL\/1.2 (Mozi<\/li>\n<li>NSISDL\/1.2 (Mozilla)<\/li>\n<li>Setup Factory<\/li>\n<li>Setup Factory 8.0<\/li>\n<li>Setup Factory 9.0<\/li>\n<li>TryMedia_DM_2.0.0<\/li>\n<\/ul>\n<p>Monitoring these may not only help to discover people installing unapproved applications, PUA\/PUPs\/downware, but also potentially malware spreading using popular installers.<\/p>\n<p>Obviously, many dodgy apps use dedicated\/proprietary downloaders and it&#8217;s not difficult to change the default user agent, so there are still some gaps here, but I believe the value is there and this could become yet another alert helping to protect &#8216;open internet&#8217; environments.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>While looking at the user agent list I shared today, I thought it might be an interesting idea to monitor unapproved\/PUA\/PUP\/downware applications by paying attentions to all downloads that are leveraging the default user agents used by common installation packages, &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/12\/20\/monitoring-unapproved-appspuapupdownware-using-default-user-agents-used-by-installers\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,39,19,46,33],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3438"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3438"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3438\/revisions"}],"predecessor-version":[{"id":3439,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3438\/revisions\/3439"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}