Friday, June 29, 2007

Malicious payload based on user-agent string

Websense Security Labs has a blog post about a malicious site serving up payloads based on the HTTP user-agent string. This is something I've seen in the wild many times, and I kind of thought it was old news. The easiest way to get around this kind of simple protection is to set the user-agent string sent by wget. You'll want to use the "--user-agent" option, and there is an extensive list of user-agent strings at

Pro-tip: a generally malware-ok user-agent string is
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Update: You can also do this.

No comments: