Sunday, July 23, 2006

Block Browsezilla malware

This so-called browser named Browsezilla used to get onto my site with the old UA:

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Browsezilla; .NET CLR 1.1.4322)"
Then those obnoxious assholes stepped it up a level by inserting a goddamn HTML hyperlink into the UA which my bot blocker stops instantly thinking it's referrer spam.
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; <a href=>Browsezilla </a>)
Almost felt bad for the assholes using this shit browser being blocked and almost unblocked it for them, but decided to do a little research first and HOLY SHIT this thing appears to be evil.

Read this InternetNews alert and this Panda alert and this detailed post by Oliver on a NotePet and you'll probably agree it's a good idea all around just to block Browsezilla so their users will abandon this fucking malware before it's an epidemic

I'm thinking it's best left blocked and possibly redirected to the InternetNews article to scare the shit out of people using the damn thing.


Olliver said...

Thanks for the user agents, they're more than interesting. I tested this amazing application on a test install but due to networking being totally broken there I was unable to check the user agent string.

The first one surely is the old 1.x version of browsezilla and this id is likely the one that can be found under c:\\browsezilla\id.txt of an installation. It's probably used to differentiate users so their remotely stored data won't get mixed up. Although the security concept here isn't exactly convincing... :-)

Regarding the most recent string it seems the Forex Trading Bot has spawned a new trend with embedded HTML in User Agent strings. It's funny though, that there are actually php scripts out there that do not strip that code and therefore help those people build up a sizable inbound link collection.

I'm waiting now for the next step, embedding onLoad window.location attributes in those links, so people get instantly redirected to PPC engines and spammers no longer need to generate millions of doorway pages :-)

IncrediBILL said...

Wait no longer as I blogged about the window.location vulnerability on May 9th.

Olliver said...

Thanks for the pointer. A while ago, I saw this in my log files as variation with document.title that would display "Sorry" on vulnerable script pages.

I had a different vulnerability in mind, however, that would bypass simple filters looking for the "script" tag, as described here (1st example, should also work fine within an anchor tag)

In regard to the first Browsezilla user agent I was jumping the gun, I've just seen that the id was actually part of the requested document and not the user agent itself. Thus I take my previous statement back and apologise to the Russian Delphi (and security) wizard for my lack of concentration that lead to this silly mishap :-)

David Ogletree said...

you site does not look the same in IE and FF. The right side menu is way down on the right side in IE.

GaryK said...

David, that's just Bill's split personality showing itself. LOL