GoldenEye 2.1 released with even more randomness
Recently I’ve discovered that GoldenEye got his first signature from a big vendor.
That’s funny since the main GoldenEye objective is to be signature-proof due its randomness. I’ve done a quick search on the internet and found the signature update link for their products, downloaded, located that one mentioned above.
It was a very crude signature, as expected:
<Pattern><![CDATA[\[Cache-Control: (must-revalidate, )?no-cache\].*]]></Pattern>
<Pattern><![CDATA[.*\[(Mozilla/\d\.\d|Opera 9.80) \((Windows|X11|compatible); U?; (Linux|Windows NT \d\.\d|MSIE \d\.\d)\].*]]></Pattern>
Mostly are the only static texts GoldenEye had (since this update ;)). These are mostly leftovers from Barry’s HULK, which GoldenEye was spawned from.
No worries, this new patch include the following changes:
- Referer strings from search engines now only domain part hardcoded (rest
- Referer generation function now generates even more random referers.
- NO MORE HARDCODED USER AGENTS. I admit, hardcoded user agents were lame. There’s now a User-Agent Generator function that will generate RFC-2616 compliant user-agent strings.
- External User-Agent List Support: As the generator function may generate UAs for inexistent browser version + plugin version combinations, you can now supply your own list of User-Agents (one per line – text file) via the
no-cacheI’ve added the directive
max-age=0that does basically the same thing. GoldenEye will chose one of them during the strike request.
- More random keepalive values: They’re 110-120 (legacy), now they’re random 1-1000
- User-Agent lists: I’ve added a
resdirectory for external resources. Multiple text files were placed there with user agents from different platforms.
- Utilities! Now the getuas.py scrapes (requires BeautifulSoup) http://www.useragentstring.com/ URLs.
About the User-Agent generation algorithm
The user-agent string follows the following format: Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions]
I have a python dictionary with OS-specific values and Platform-specific (Webkit, Gecko, Internet Explorer) values. There are many options for each one. Mostly generated on the fly thanks to python’s dynamic lists generation.
Here’s an example of the property generation
'name': [ 'AppleWebKit/%d.%d' % (random.randint(535, 537), random.randint(1,36)) for i in range(1, 30) ],
'details': [ 'KHTML, like Gecko' ],
'extensions': [ 'Chrome/%d.0.%d.%d Safari/%d.%d' % (random.randint(6, 32), random.randint(100, 2000), random.randint(0, 100), random.randint(535, 537), random.randint(1, 36)) for i in range(1, 30) ] + [ 'Version/%d.%d.%d Safari/%d.%d' % (random.randint(4, 6), random.randint(0, 1), random.randint(0, 9), random.randint(535, 537), random.randint(1, 36)) for i in range(1, 10) ]
Upon program start, it will generate N random values and populate the python list. As lists can be easily joined with the
+ operator, this makes dynamic list generation a charm. The same goes to OS-specific values
'ext': [ 'Intel Mac OS X %d_%d_%d' % (random.randint(10, 11), random.randint(0, 9), random.randint(0, 5)) for i in range(1, 10) ]
Any effort now to block our user-agents will block legitimate traffic also :)
About referer generation
In the previous GoldenEye versions, referers were crude and simple, like search engine search urls with some random parameter. Now referers are generated like request urls:
- Random PATH (/Hiad727ja)
- Random QueryString key and value names
- Random QueryString key and value quantity
- Random QueryString presence
As it was before, referer presence is also random.
I think that covers all the changes for this version.
Download, test (please, not on other people’s servers) and report!