Forum Moderators: open
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Supplied by blueyonder)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; IEMB3; .NET CLR 2.0.50727; IEMB3)
It looks as if an old UA has been nested within a new one but the inside one always seems to be...
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ;
I'm used to seeing similarly corrupt strings from bsalsa, megaupload, deepnet and a few toolbars like zango but this seems to be something new and consistent, starting around 30th November.
Coming straight after the latest MS patches I'm inclined to think they have been badly patched by MS but does anyone know? They all seem to come from IPs I associate with normal users but who knows with the latest trojans?
I'm getting the impression that the UA is being corrupted IF it contains non-MS or unusual MS content (funweb, media center, ISP branding etc). Whether or not it's MS's fault or the browsers' have had subsequent update from other sources is difficult to determine. It's always possible that some firewall or anti-virus tool is adding the base MSIE string into the middle of the UA rather than removing it.
On which thought: the inserted UA is exactly the same as one of the crummy old AVG 1813-less UAs. AVG had a major update a short while ago: perhaps this is some kind of residue caused by browsing via AVG or similar. Possibly not.
A lot, but not all, are trailing a google search referer with them. Others have some other referer and some none at all.
.... Where Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; was injected in the UA after installing Trend Micro Internet Security 2008.
The example I've just looked at in the full site logs (admittedly only one but seemingly typical according to the trap logs) collected images, css and javascript as though it were a normal human browse. It also included expected encoding headers and referer which the likes of AVG signatures (in my experience) don't. Maybe Trend does that but if it always has then why the sudden increase in instances, far more than I've seen in the past. I can't believe everyone is suddenly going over to Trend.
On the other hand, there aren't enough instances to suggest my surmise re: MS update can be the cause, although the number is increasing.
In the past couple of days I've also noted a couple of instances where the inserted string is not Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; but some other apparently valid MSIE string. Rare so at the moment I'm ignoring them as possible abberations or forgeries.
As it is, I've reverted to simply logging the original insertion variant for observation and passing the pages to the user.
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6; MSNbMSNI; MSNmen-us; MSNcIA)"
