Finding Security Issues in the HTTP Request Headers, and the Mac OSX Flashback Botnet

LogRhythm Labs has recently initiated a research project into HTTP Request Header analysis, to include User Agent strings, both in proxy logs as well as web server logs. A few recent events have validated our interest in this topic. The recently identified botnet targeting Mac OSX machines, reportedly with more than 600,000 hosts compromised (conficker-sized!), uses the bot’s MAC address as the User Agent when phoning home to C&C. 

Hosts infected with the Backdoor.Flashback.39 trojan can be identified with a simple regex looking for MAC address patterns in an organization’s proxy logs (see below for example regex’s). We’ve also gotten our hands on some IIS log data from a recent high-profile breach. 

What we found was very interesting. The attackers didn’t bother to change the User Agent for the SQLi tools that were used. Both Havij and sqlmap were identified. Some simple whitelisting or blacklisting against the UA in the IIS logs would have easily caught these low-hanging fruit.

Stay tuned for more in-depth analysis of User Agent strings and HTTP Request Headers, as well as out-of-the-box content to help secure web applications using SIEM. Example MAC Address Regex’s: No dashes, colons, or spaces: [a-fA-F0-9]{12} With dashes, colons, or spaces: _([a-fA-F0-9]{2}(: - \s)){5}[a-fA-F0-9]_

UPDATE: Kaspersky Labs gives an example User Agent string for the Flashback malware.  Here’s a regex that will match it in proxy logs: id:[a-fA-F0-9]{8}-\w{4}-[a-fA-F0-9]{4}-\w{4}-[a-fA-F0-9]{12}