NEWS FROM THE LAB - Monday, May 18, 2009

Rogue Browser Agents Posted by Sean @ 15:30 GMT

How big an issue are Rogue antivirus applications? Let's take a look.

What is your browser's user agent? Any ideas? The Firefox browser should look something like this:

What is my user agent?

You can determine yours from whatsmyuseragent.com. Now let's take a look at this user agent:

     Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Do you see it? Right there in the middle, "AntivirXP08". What is that all about?

Some rogues modify the browser's user agent. We've seen hundreds of AntivirXP08 string variations. The modified string is possibly used to identify the affiliates responsible for the installation which drives "business" to the rogue's website.

Modified user agents could also be used deliver different content. A victim with AntivirXP08 doesn't need to be convinced to download an installer, instead they can be targeted to complete the scam and to buy the rogue.

How many infected user agents are out there? Toni examined one of our sinkholes and its April 2009 logs contained 63,000 unique IP addresses using agents that contain AntivirXP08.

63 thousand. That's a lot of infections, right? And that doesn't include other strings we've seen such as "Antimalware2009".

It's a small measure of a very large problem.