The hard-coded headers include
malware author mistakenly adds an additional
User-Agent: in the
actual User-Agent, resulting in a duplicate string:
Mozilla.... The complete User-Agent header (including the duplicate) makes an effective
Both the domain name and path of the URL are hard-coded only where the configuration file is unavailable. Signatures should be made for this hard-coded URL, as well as any configuration files observed. However, it would probably be more fruitful to target just the hard-coded components than to link them with the more dynamic URL. Because the URL used is stored in a configuration ...