Lab 14-3 Solutions
Short Answers
The hard-coded headers include
Accept
,Accept-Language
,UA-CPU
,Accept-Encoding
, andUser-Agent
. The malware author mistakenly adds an additionalUser-Agent:
in the actual User-Agent, resulting in a duplicate string:User-Agent: User-Agent: Mozilla...
. The complete User-Agent header (including the duplicate) makes an effective signature.Both the domain name and path of the URL are hard-coded only where the configuration file is unavailable. Signatures should be made for this hard-coded URL, as well as any configuration files observed. However, it would probably be more fruitful to target just the hard-coded components than to link them with the more dynamic URL. Because the URL used is stored in a configuration ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.