.
Search
Ollie
{ MODERATOR }
posts: 8
last: 26-Mar-2008
TITLE: Server-side malware detection
DESCRIPTION: some malware is stupid enough to put something in the useragent
Submitted: 31-Dec-2007 02:01:14 ( 1yrs 1w 1d 7h ago ) Language: PHP (*.php *.php4 *.php5 *.phtml)
Views: 301 Lines of Code: 88 LINES
Rating:
rate: star1
star2
star3
star4
star5
dstar1
dstar2
dstar3
dstar4
dstar5  ( rated! )
  { 0.00 / 5 }
 Difficulty: Intermediate
Bookmark 
/* Author: Ollie
   Date: 31-12-2007 
   Description: Obviously this doesn't catch all malware, only ones that add 
                itself to the browsers useragent.
                I have no idea what use this could be, but someone might like it.
*/


// CODE  
<?

$malware = array(
"Alexa\ Toolbar" => "Alexa Search Toolbar",
"Apropos" => "Apropos Spyware from PeopleOnPage Inc",
"EnvoloAutoUpdater" => "Apropos Spyware from PeopleOnPage Inc",
"Browser\ Adv" => "Browseraid.com Agent",
"Feat\ Ext" => "CoolWebSearch Spyware",
"Feat2\ Installer" => "CoolWebSearch Spyware",
"Feat2\ updater" => "CoolWebSearch Spyware",
"firestarter" => "CoolWebSearch Spyware",
"iefeatsl" => "CoolWebSearch Spyware",
"SCAgent" => "CoolWebSearch Spyware",
"searchengine2000.com" => "CoolWebSearch Spyware",
"sureseeker.com" => "CoolWebSearch Spyware",
"\.exe\|" => "Direct-Revenue.com (abetterinternet.com)'s Malware",
"IEP" => "Direct-Revenue.com (abetterinternet.com)'s Malware",
"Poller\|1\.1\.0\." => "Direct-Revenue.com (abetterinternet.com)'s Malware",
"MGS-Internal-Web-Manager" => "Downloadware spyware",
"ESB{" => "EasySearchBar",
"HelperH" => "Enhance My Search Spyware",
"mez" => "Ezula Related Calling Home",
"eZula" => "eZula spyware",
"3a" => "Ezula Update Engine",
"FunWebProducts" => "FunWebProducts",
"FunWebSearch" => "FunWebProducts",
"Gator" => "Gator Agent Traffic",
"hostie" => "Hotbar Adware",
"hostoe" => "Hotbar Adware",
"hostoi" => "Hotbar Adware",
"hostol" => "Hotbar Adware",
"Hotbar " => "Hotbar Adware",
"Windows SR 2.0" => "IESearch Spyware",
"IOKernel" => "Internet Optimizer",
"IST" => "ISearchTech.com XXXPornToolbar",
"MyApp" => "ISearchTech.com XXXPornToolbar",
"Kontiki" => "Kontiki Download Manager (bundled with Spyware)",
"Sidesearch" => "Lycos Sidesearch ",
"OSSProxy" => "MarketScore.com Spyware",
"MERONG" => "Overpro malware",
"OCSLab" => "PeopleOnPage malware",
"iWonSearchAssistant" => "Search toolbar owned by AskJeeves",
"MyTotalSearch" => "Search toolbar owned by AskJeeves",
"MyTotalSearchSearchAssistant" => "Search toolbar owned by AskJeeves",
"MyWay" => "Search toolbar owned by AskJeeves",
"MyWebSearch" => "Search toolbar owned by AskJeeves",
"MyWebSearchSearchAssistant" => "Search toolbar owned by AskJeeves",
"Bundle" => "Shop at Home Select Spyware",
"SAH\ Agent" => "Shop at Home Select Spyware",
"SideStep\ Client" => "SideStep Spyware",
"NSISDL" => "Smartpops.com or Medialoads.com Spyware",
"Wise" => "SpywareLabs Application Install",
"SurferPlugin " => "SurfPlayer Spyware",
"svcmm32\.exe" => "SvcMM parasite downloader",
"TSA\/" => "Target Saver Spyware",
"TIBSBrowser " => "TIBS Browser Adult-Site Dialer",
"TIBS\ Loader" => "Tibsystems Spyware",
"Topconvertingagent" => "Top Converting Agent",
"UCmore" => "UCMore Spyware",
"Visicom\ Toolbar" => "Visicom Media Spyware",
"404search" => "Wild Media Spyware",
"update" => "Wild Media Spyware",
"Wildtangent" => "Wildtangent Online Game Spyware",
"istsvc" => "YourSiteBar",
"ZangoToolbar" => "Zango Toolbar",
);
$malwaredetected = false;

foreach($malware as $i=>$v) {
	if (preg_match("/$i/", $_SERVER['HTTP_USER_AGENT'])) {
		$malwaredetected = true;
	}
}

if($malwaredetected) {
//do something
}

?>