Description
- When a normal Firefox engine engages with a web page and performs any kind of request (POST/GET) the User-Agent is set to 'Mozilla (Version)'. However, with some generic malware, they try to disguise their actions by having the User-Agent set to a browser but was poorly executed and set to Firefox instead of Mozilla. The sensor flags this mistake and deems any User-Agent that is set to Firefox as malicious as any legitimate request from a Firefox browser will have the User-Agent set to Mozilla.
Vector
- Port 80 HTTP
User-Agent
- Firefox
Known False Positive Indicators
- www.songlyrics.com (Web page for listening to music, and gathering song lyrics)- Web page determines browser but poorly coded to label Firefox as (Firefox) instead of (Mozilla). This appears malicious to the Sentinel and thus gets flagged and blocked accordingly.
Affected Host
- Windows/Mac/Linux
Classification
- Malware
Sentinel Signature
-
MALWARE User-Agent (Firefox) - Possible Trojan Downloader
DNS Calls
- None available as this user-agent is seen with generic malware that can fall under many categories.
Comments
0 comments
Please sign in to leave a comment.