Altering browser agent string and/or OS string as AV strategy?

[Virus Guy]

Many malware servers use the information in the browser agent string to
determine what operating system the user is using and delivers payload
code specifically crafted for that OS.

Why doesn't third-party AV and/or browser-protection software give the
user the choice of altering that string so that malware servers end up
delivering the wrong exploit code to the end user?

Or does typical browsing on legit websites rely too much on this string
to use it as an anti-malware strategy?

Or is it just to hard / difficult to alter this string (for whatever
reason) ?

 

[Char Jackson]

Many malware servers use the information in the browser agent string to
determine what operating system the user is using and delivers payload
code specifically crafted for that OS.

Why doesn't third-party AV and/or browser-protection software give the
user the choice of altering that string so that malware servers end up
delivering the wrong exploit code to the end user?

Or does typical browsing on legit websites rely too much on this string
to use it as an anti-malware strategy?

Or is it just to hard / difficult to alter this string (for whatever
reason) ?

Here are a couple of popular ways to change the User Agent string when
using Firefox.

User Agent Switcher https://addons.mozilla.org/en-US/firefox/addon/59
Header Control https://addons.mozilla.org/en-US/firefox/addon/11327

 

[Singapore Computer Service]

Hello,

Symantec Endpoint does allow altering the user agent to a fixed 'IE 999.1'
(or something similar) string but warns that some websites may not work
properly when enabled. And it is true, once enabled, visits to Yahoo.com
immediately reverted to a basic functionality site asking users to upgrade
to newer browser

So having this option on by default can cause problems for users who aren't
aware of its implications on sites like Yahoo.
___
http://www.bootstrike.com/ComputerService/
Singapore Computer Home Remote On-Site Repair Service

 

[David W. Hodgins]

Or does typical browsing on legit websites rely too much on this string
to use it as an anti-malware strategy?
Yes.

Or is it just to hard / difficult to alter this string (for whatever
reason) ?

Opera has options to alter the user-agent string to make it look like
firefox, or internet explorer. This can be set on a per site basis,
and is needed because many website coders choose what to send the
browser based on which browser/version is being used, instead of
learning how to detect what features the browser supports.

It's easy to use proxy software, such as proximitron to alter the
agent, but it causes more problems then it's worth.

Regards, Dave Hodgins

 

[Virus Guy]

Yes.

There are two components in the user browser string:

1) The browser is being used
2) The OS is being used

Is it possible (or useful) to fake *one* of those two to protect a
system against (some) malware payloads and yet not interfere with normal
web browsing?

For example, would faking only the OS component of the string accomplish
that?

 

[Beauregard T. Shagnasty]

[missing attribute]

Or does typical browsing on legit websites rely too much on this
string to use it as an anti-malware strategy?

Yes.

There are two components in the user browser string:

1) The browser is being used
2) The OS is being used

Is it possible (or useful) to fake *one* of those two to protect a
system against (some) malware payloads and yet not interfere with
normal web browsing?

For example, would faking only the OS component of the string
accomplish that?

My User Agent string reports:

Borgzilla/31.0 (X11;U;Linux i686;en-US;rv:31.0) Resistance is futile

What should the server do next?

( I doubt faking the UA will help prevent malicious infections with poor
browsers, but it could likely screw up your experience at numerous web
sites. Heck, Captain Picard might get _your_ bank deposit! )

 

[FromTheRafters]

[missing attribute]
Or does typical browsing on legit websites rely too much on this
string to use it as an anti-malware strategy?

Yes.

There are two components in the user browser string:

1) The browser is being used
2) The OS is being used

Is it possible (or useful) to fake *one* of those two to protect a
system against (some) malware payloads and yet not interfere with
normal web browsing?

For example, would faking only the OS component of the string
accomplish that?

My User Agent string reports:

Borgzilla/31.0 (X11;U;Linux i686;en-US;rv:31.0) Resistance is futile

What should the server do next?

( I doubt faking the UA will help prevent malicious infections with
poor
browsers, but it could likely screw up your experience at numerous web
sites. Heck, Captain Picard might get _your_ bank deposit! )

Information is power. A malware server could run a serverside script to
tailor exactly *what* to throw at the potential victim. This increases
efficiency for the server. I don't think it would make too much
difference to the potential victim though. The server could just spew
whatever exploits it wanted - Borgzilla would assimilate all - but
*inferior* browsers would fare less well.

 

[ASCII]

My User Agent string reports:

Borgzilla/31.0 (X11;U;Linux i686;en-US;rv:31.0) Resistance is futile

Mine says
X-UserAgent: UnFuckingKnown
That's in the browser that reports anything in that field,
skews statistics for the curious who look at such logs.