Adware or Spyware in User Agent string

Forum Moderators: open

Message Too Old, No Replies

Adware or Spyware in User Agent string

Is this a problem or just infected visitor?

grandma genie

10:33 pm on Sep 3, 2010 (gmt 0)

Hello everyone - I've seen some odd listings in the User Agent strings in my server logs for today. One was Zango and the other was "Embedded Web Browser from: bsalsa.com". I assume these are just an indication that the visitor's machine is infected with spyware. Should I be concerned with the visitor? Would this indicate this individual is spending time in places they shouldn't? It would be an easy matter to block them, but I don't want to block a potential sale. What is the common consensus?

Also, my website was offline today for a couple of hours. My host said: "I was working on an issue early in the day to resolve what appeared to be a scanner attempting to compromise the server and it dropped the dedicated IP for your site until I reset it."

So, I wasn't sure who the "scanner" was. The only odd things I saw on my logs were the Zango and Bsalsa and some CCBots. The CCBots had already been blocked, but I guess that doesn't keep them from coming around. -- Grandma_genie

Brett_Tabke

1:24 pm on Sep 4, 2010 (gmt 0)

Do a search on bsalsa and you will see it looks to be a legit browser.

Generally if a browser is up to mischeif, it won't announce that it is in an agent string.

dstiles

5:06 pm on Sep 4, 2010 (gmt 0)

Bsalsa is a "legit" browser add-in but causes a lot of UA corruptions so is difficult to pin down to an absolute UA. It also handles high speed downloads aka site scraping. Banned here for ages with a UA specific note to visitor along the lines of "Don't be stupid, get a decent browser." :)

Zango is an evil toolbar from the user's viewpoint but not from ours. I have a tag on it that reports its incidence to a log but nothing untoward seems to result. Crazy Browser, MRSPUTNIK, SpamBlockerUtility and a couple of dozen others are also logged as "watch this UA".

grandma genie

6:09 pm on Sep 4, 2010 (gmt 0)

Most common folk don't go around looking for a special browser to search the Internet, especially for a site like mine, selling stuffed animals, so it doesn't make sense for a person to be using a browser add-on unless they got it accidentally, which I don't think is the case with Bsalsa. I think you have to add it yourself. It looks like the visitor infected with Zango was innocent enough, but I think I'll block the Bsalsa visitors. They seem to be more than casual visitors, and I already have too much trouble with ubiquitous scrapers.

Mokita

8:30 pm on Sep 4, 2010 (gmt 0)

I used to 403 user agents containing bsalsa, as I saw a lot of suspicious behavior from them and they invariably came from suspicious countries like China and Russia etc.

But I removed the block after a colleague suddenly couldn't access one of our sites. I found from the logs that he had bsalsa installed, asked why, and he was mystified. He had no idea it was on his machine or how it got there. He swore that he never knowingly installed it, and did not even want it - and I believe him as he is very trustworthy.

So it can be installed on an innocent person's computer without their direct knowledge.

dstiles

10:46 pm on Sep 4, 2010 (gmt 0)

Of the two complaints we've had about Bsalsa that the punter responded to when we explained, both said the same thing. Can't vouch for their veracity though. :)

I actually feed a 405 (Access Method Not Allowed) rather than a 403.

keyplyr

11:10 pm on Sep 4, 2010 (gmt 0)

RE: Embedded Web Browser from: bsalsa.com

In reading the tools offered from bsalsa, you'll find that their embedded browser includes a download manager. I block all download managers categorically. I also block anything from bsalsa.

Mokita

6:20 am on Sep 5, 2010 (gmt 0)

dstiles wrote:

I actually feed a 405 (Access Method Not Allowed) rather than a 403.

I've toyed with the idea of doing that, but could never work out how to word the error message.

Would you be so kind as to give me an example of what you use?

dstiles

4:52 pm on Sep 5, 2010 (gmt 0)

The message is exactly as I gave it (without the parentheses). HOW you implement it depends on the operating system and whether you have htaccess or use a programming language to control access.

Mokita

5:26 pm on Sep 5, 2010 (gmt 0)

Ah, many thanks for the reply. I thought you would have a message explaining why the visitor got a 405. It must puzzle them immensely, wondering what caused it.

405 is so uncommon, I don't think I have ever been served one - and I've been on the net since the early 1990s.

If you don't explain that their browser is the problem, what is the practical difference to serving up a 403? In both cases there is nothing they can do to rectify the situation.

dstiles

6:12 pm on Sep 5, 2010 (gmt 0)

Sorry, yes. I see what you mean. There is a message saying why - basically what was discussed above with a recommendation to use a decent browser. But it's YOUR reason for blocking, which may be different from mine. Check out the Bsalsa web site.

keyplyr

7:18 pm on Sep 5, 2010 (gmt 0)

I use the same message for 403 and 405, formatted accordingly, but it says:

Forbidden
__________________________________________

Permission to access this server is denied.

* Possible Reasons:

o You are in violation of copyright.
o You are hiding your browser or user agent.
o You are using a tool or method not allowed.

Your IP address: 12.34.56.789 has been logged.

grandma genie

10:54 pm on Sep 5, 2010 (gmt 0)

I've been scanning my server logs now for about a few years. I didn't know what a server log was before then. I've only seen the "Embedded Web Browser from: bsalsa.com" once. If I start seeing lots of them now that they are blocked, I might rethink my position. But the really odd thing is since I started blocking user agents, I'm seeing more and more different ones. Can a nefarious scanner change the user_agent if the one they were using gets blocked?

Pfui

4:20 am on Sep 6, 2010 (gmt 0)

In a word: Yes.

Mokita

4:26 pm on Sep 6, 2010 (gmt 0)

@keyplyr

Thank you! Your example is very helpful.

Dijkgraaf

4:28 am on Sep 7, 2010 (gmt 0)

I see both Zango and Bsalsa UA's in my logs, is some cases, yes they are Russian Spammers / Websense, but others seems to be genuine users browsing.