Wednesday, January 2, 2008

Impersonating Mac Browser

As I mentioned last topic, Zlob fake codec sites are smart enough to know whether you are running on Windows or Mac. If you are an analyst or researcher and would like to download the DMG file, you cannot simply modify the URL or force the browser to download it, although you can modify the file extension but still the downloaded file will contain MZ header – which mean, Windows Executable.

To understand how this happens, let's capture the http request using Ethereal and check the data.

The user browser sends User-Agent header to the requested page and this provides information such as Application Name, Compatibility, Platform and Version, Accepted language and the users Web Browser.

So, now you can figure out why.

If you are running in Windows and you want to download Zlob fake codec for Macintosh, you can simply send fake User-Agent header. This means, you are sending hand crafted http request to the server; This is impersonating the Mac browser.

There are many tools that can help you perform this job, few names like curl, fiddler and malzilla -
known as malware website hunting tool.

The screenshot below shows how Malzilla download the DMG file in Windows.