Lab 14-3 Solutions
The hard-coded headers include
User-Agent. The malware author mistakenly adds an additional
User-Agent:in the actual User-Agent, resulting in a duplicate string:
User-Agent: User-Agent: Mozilla.... The complete User-Agent header (including the duplicate) makes an effective signature.
Both the domain name and path of the URL are hard-coded only where the configuration file is unavailable. Signatures should be made for this hard-coded URL, as well as any configuration files observed. However, it would probably be more fruitful to target just the hard-coded components than to link them with the more dynamic URL. Because the URL used is stored in a configuration ...