User-agent Strings

A list of known user-agent strings used by malware. I have also included some regex that you can use to help you locate these user-agent strings in your logs. Please let me know if you have any that you would like to add, thank you.


Malware: Houdini / Iniduoh / njRAT
This one should pop right out in your logs. It uses the below characters as a field separator, so there will be several of these in the user-agent field (please note that there are two user-agent values below for this malware).
  • User-agent contains: <|>
  • Regex: <\|>
  • Regex: ((\w+)|(\W+))((<\|>)|(\\))((\w+)|(\W+))((<\|>)|(\\))((\w+)|(\W+))((<\|>)|(\\))[^<|\\]+((<\|>)|(\\))((\w+)|(\W+))[^<|\\]+((<\|>)|(\\))[^<|\\]+((\w+)|(\W+))((\w+)|(\W+))+
    • I did not write the above regex for this one and I cannot remember where I found it, so I am unable to give credit. If it's yours then please let me know.
  • User-agent contains: {*}
  • Wireshark Filter: http.user_agent matches "\<\|\>"
  • Wireshark Filter: http.user_agent matches "\{\*\}"
Malware: Zero Access
  • User-agent: nsis_inetc (mozilla)
  • Regex: nsis_inetc\s\(mozilla\)
  • Wireshark Filter: http.user_agent matches "NSIS_Inetc" && http.user_agent matches "mozilla"
Malware: Generic Trojan
  • User-agent: Mozilla/5.0 WinInet
  • Regex: Mozilla\/5\.0\sWinInet
  • Wireshark Filter: http.user_agent matches "Mozilla\/5\.0 WinInet"
Malware: Dyre / Upatre
The following string was found on a Windows machine (note that there are two user-agent strings associated with this malware).
  • User-agent: Wget/1.9+cvs-stable (Red Hat modified)
  • Regex: Wget\/1\.9\+cvs-stable\s\(Red\sHat\smodified\)
  • User-agent: Mozilla/5.0 (Windows NT 6.1)
  • Wireshark Filter: http.user_agent matches "Wget\/1\.9\+cvs-stable" && http.user_agent matches "Red Hat modified"
  • Wireshark Filter: http.user_agent matches "Mozilla\/5\.0" && http.user_agent matches "Windows NT 6\.1"
Malware: Generic password stealing Trojan
  • User-agent: RookIE/1.0
  • Regex: RookIE\/1\.0
  • Wireshark Filter: http.user_agent matches "RookIE\/1\.0"
Malware: Zbot variant
Please note that there are two user-agent strings associated with this malware.
  • User-agent: Mazilla/4.0
  • User-agent: Mazilla/5.0
  • Wireshark Filter: http.user_agent matches "Mazilla\/4\.0"
  • Wireshark Filter: http.user_agent matches "Mazilla\/5\.0"
The following user-agent strings will require the use of Log Parser. Attempting to do a regex search with these will return a large amount of results.

Malware: Tupym
Although AutoIt is legitemate, finding this user-agent may be malicious. Make sure you investigate this a bit further if you find it in your log files.
  • User-agent: AutoIt
  • SQL: SELECT [user-agent column name] FROM [file path] WHERE [user-agent column name] = 'AutoIt'
  • Wireshark Filter: http.user_agent matches "^AutoIt$"
Malware: HkMain
Yes, this was actually found in proxy logs.
  • User-agent: M
  • SQL: SELECT [user-agent column name] FROM [file path] WHERE [user-agent column name] = 'M'
  • Wireshark Filter: http.user_agent matches "^M$"
Malware: Pennonec
  • User-agent: InetAll
  • SQL: SELECT [user-agent column name] FROM [file path] WHERE [user-agent column name] = 'InetAll"
  • Wireshark Filter: http.user_agent matches "^InetAll$"
The agents listed below have a high certainty of being malicious, but investigate further as they are very close to being legitimate user-agent values.

Malware: Egamipload
  • User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
  • Regex: Mozilla\/4\.0\s\(compatible;\sMSIE\s8\.0;\sWindows\sNT\s5\.1;\sTrident\/4\.0\)
  • Wireshark Filter: http.user_agent matches "Mozilla\/4\.0" && http.user_agent matches "compatible\; MSIE 8\.0\; Windows NT 5\.1\; Trident\/4\.0"
Malware: Botnet / Adware
This was found in a known botnet as well as some adware.
  • User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  • Regex: Mozilla\/4\.0\s\(compatible;\sMSIE\s6\.0;\sWindows\sNT\s5\.1;\sSV1\)
  • Wireshark Filter: http.user_agent matches "Mozilla\/4\.0" && http.user_agent matches "compatible\; MSIE 6\.0\; Windows NT 5\.1\; SV1"
Malware: Yakes
Notice the lack of spacing within the parantheses.
  • User-agent: Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)
  • Regex: Mozilla\/4\.0\s\(compatible;MSIE\s7\.0;Windows\sNT\s6\.0\)
  • Wireshark Filter: http.user_agent matches "Mozilla\/4\.0" && http.user_agent matches "compatible\;MSIE 7\.0\;Windows NT 6\.0"
Malware: Andromeda
This is similar to the Opera browser, except much shorter.
  • User-agent: Opera/9.80
  • Regex: Opera\/9\.80
  • Wireshark Filter: http.user_agent matches "^Opera\/9\.80$"
Malware: Bandoo Adware
  • User-agent: Mozilla/4.0 (compatible; MSIE; Win32)
  • Wireshark Filter: http.user_agent matches "Mozilla\/4\.0" && http.user_agent matches "compatible\; MSIE\; Win32"
Malware: IRCbot
  • User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
  • Wireshark Filter: http.user_agent matches "Mozilla\/4\.0" && http.user_agent matches "compatible\; MSIE 8\.0\; Windows NT 6\.0"
Malware: Geodo / Feodo
I have still not confirmed if this user-agent string value is unique to this malware, so please use caution when investigating (note that there are two user-agent string values associated with this malware).
  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
  • Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  • Wireshark Filter: http.user_agent matches "Mozilla\/5\.0" && http.user_agent matches "compatible\; MSIE 9\.0\; Windows NT 7\.1\; Trident\/5\.0"
  • Wireshark Filter: http.user_agent matches "Mozilla\/5\.0" && http.user_agent matches "Windows\; U\; MSIE 7\.0\; Windows NT 6\.0\; en-US"
Malware: Kuluoz
  • Mozilla/5.0 (windows nt 6.1; wow64; rv:25.0) Gecko/20100101 firefox/25.0
  • Wireshark Filter: http.user_agent matches "Mozilla\/5\.0" && http.user_agent matches "windows nt 6\.1\; wow64\; rv\:25\.0" && http.user_agent matches "Gecko\/20100101 firefox\/25\.0"
Malware: Symmi
Please note that there are two user-agent strings associated with this malware.
  • User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.1288)
  • User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.1975)
  • Wireshark Filter: http.user_agent matches "Mozilla\/4\.0" && http.user_agent matches "compatible\; MSIE 6\.0\; Windows NT 5\.1\; SV1\; \.NET CLR 1\.0\.1288"
  • Wireshark Filter: http.user_agent matches "Mozilla\/4\.0" && http.user_agent matches "compatible\; MSIE 6\.0\; Windows NT 5\.1\; SV1\; \.NET CLR 1\.0\.1975"
Spyware: Conduit Toolbar
Please see my post on this application.
  • Starts with: "SearchProtect" and uses a semi-colon as a field separator.
  • Breakdown of user-agent values:
    • SearchProtect;<Application Version>;<OS type and version>;<Unique identifier>
  • Example:
    • SearchProtect;1.7.1.50;Microsoft Windows 7 Professional;SP1A9B0A2A-43A1-4D4B-C21B-4CAEDF6B9192
  • Regex to find the Unique Identifier field value:
    • ([a-zA-Z0-9]{10}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{12})

No comments:

Post a Comment

Please feel free to leave a comment that is relevant to the post.