The Mystery of a Session Cookie

Published: 2015-03-09
Last Updated: 2015-03-09 21:56:59 UTC
by Lenny Zeltser (Version: 1)
3 comment(s)

An ISC reader sent us a note about a session cookie that has been appearing in web server logs; the cookie contents triggered cross-site scripting alerts from the Web Application Firewall. Across the various HTTP session instances, the cookie contained the same hash: 3e1dd89fdfa706ed2e69a8eccf98cab048d7b661. Other contents of the cookie included references to malicious-looking third-party URLs that contained affiliate IDs.

I came across an HTTP request on my own server from about a month ago, which contained the same hash value. It looked like this:

Cookie: 3e1dd89fdfa706ed2e69a8eccf98cab048d7b661.session={%22id%22:%226fe15833-083e-4364-84ec-e4a5b9f61ad6%22%2C%22evoke%22:%22back%22%2C%22termsType%22:0%2C%22action%22:1%2C%22firstHistory%22:1%2C%22firstUrl%22:%22http://zeltser.com/extracting-swf-from-pdf-using-swf-mastah%22%2C%22firstReferrer%22:%22https://www.google.nl%22%2C%22actionUrl%22:%22https://interyield.jmp9.com/InterYield/rd.do?affiliate%3Dnxldg2&subid%3D36x55x&adCountIntervalHours%3D10&maxAdCountsPerInterval%3D10&snoozeMinutes%3D3&url%3Dhttp%253A%252F%252Frd-direct.com%252Fctrd%252Fclick%252Fnewjump1.do%253Faffiliate%253D67935%2526subid%253D36x55x%2526terms%253Dzeltser.com%252520extracting%252520malicious%252520flash%252520objects%252520from%252520pdfs%252520using%252520swf%252520mastah%2526ai%253DGBGY6n-oRoaZ5DbR3BvafDuwZZBHn_Zj87Ciuqy_NiyMy4vZ9stpcd-fUa2UQ4DNx6GUMEj6KeGzltSVzUDRpVk07lWGpUkMlyMG9WcqGbazGffYI9a0cQ_J3FAxb2mL-WwfCJMawYXUETMOQe_CEk1s2vaRI8fq4K3Py5tve0uM4UPyCump1wSNSctzDKm_Heo-CfJZ22AHKUGAA9vCWhmxe1tlg4XjKiyKsUF9q5zzg0jCAeKNHyDqhsVo3r-FUjUmxQbTjRD772JxVD6l9h6R91sJQv9o_GcfcHebSu6NpGla5Wh9eEto8cK2LGb79D3XJm_Agq05Hvr0gevAXCxfNltsfRuPnXnSpSHU8x8XkZ-Ss54r7j-BHL_RLNOI-V7hnpAV_gx6J0Fsvdm99Qfm_U7AppaCJQNh-x93VU6nqyjUXFeIdB4o-MlIBv_Y51meo4_pheFWvlX_lmT2mSY-aFmozUo630hQoQF19xIdxV3bya--fu7Eb8js_zLzMsVrh8k7aTe-Qu8zttSsUbg9J4ZpCk3H__4EhaNL5yvIbyyRFJJo5cLoDJjlk4Vtln78qFTTrd0j5YN5IdCUmw%2526version%253D1.2%2526passThruAttr%253DeventHandler%25253Dbackcatcher&searchinfo%3Dzeltser.com%2520extracting%2520malicious%2520flash%2520objects%2520from%2520pdfs%2520using%2520swf%2520mastah&servetime%3D15&origquery%3Dzeltser.com%2520Extracting%2520Malicious%2520Flash%2520Objects%2520from%2520PDFs%2520Using%2520SWF%2520Mastah&targetTitle%3D&serveurl%3Dhttp%253A%252F%252Fzeltser.com%252Fextracting-swf-from-pdf-using-swf-mastah%252F&adultsearch%3Dfalse&pop%3Dover&attributionDisabled%3Dfalse&secUntilMidnight%3D61846%22%2C%22time%22:1423666154148%2C%22exited%22:false%2C%22sawExitOverlay%22:false}

References to zeltser.com are normal and non-malicious (that's my server); the mention of "swf-from-pdf-using-swf-mastah" is also normal, because that's the web page that received the malicious request. However, notice the inclusion of an unexpected hostname interyield.jmp9.com and a mention of "adultsearch". 

I came across many mentions of the cookie hash value seen above when searching the web, including the following trigger of a SQL injection WAP alert:

Cookie: 3e1dd89fdfa706ed2e69a8eccf98cab048d7b661.session={%22id%22:%229f835ef2-cd7e-43b9-861e-6de9d5113dd6%22%2C%22evoke%22:%22back%22%2C%22termsType%22:0%2C%22action%22:1%2C%22firstHistory%22:1%2C%22firstUrl%22:%22http://www.stoppublicites.fr/?page_id%3D2%22%2C%22firstReferrer%22:%22https://www.google.fr%22%2C%22actionUrl%22:%22https://www.tr553.com/InterYield/rd.do?affiliate%3Drzbkmax&subid%3D9614_1001_fr&adCountIntervalHours%3D24&maxAdCountsPerInterval%3D12&snoozeMinutes%3D2&url%3Dhttp%253A%252F%252Fcoreclickhoo.com%252Fctrd%252Fclick%252Fnewjump1.do%253Faffiliate%253D66385%2526subid%253D9614_1001_fr%2526terms%253Dstoppublicites.fr%252520nettoyer%252520son%252520ordinateur%252520stop%252520les%252520publicit%2525C3%2525A9s%252520intempestives%2526ai%253Db5mbQSp35CDIM8MtUy8woqtnjjHFnHB3ffZyrAlbZK9_PMF8spIXolWRiMEY4cAutjyO_Z-a2ptbmfky5jNdYyaxu2fuGRTEb59un12-ny0lAw_qXUhQzSUxJBCzXrgkJd0zYz1reyEsi28kqJHrAgWtVWPqLl7e20nbFGEaOaMP8cyITdxlg8UHWWOovjOInL9RMVxLCn4Q8O_vhgR3PV-1G6VlbN8GywCRSOCdAHHy5Tbrf2ft255bQcJe7X1Wp3dKuiuJhdk2bMcsof2lcGTxuMYmBXRHicP-yNREHlIWCM86s1FwLi06ojqqeiEc9Am73WnkvbKR6vv9sAc8bIfUiE8wTm6673h-ouF0GMfyrhuodcvdL33t_7lMjBGMlg-83EFxqtrD968hqVpKWNVaxP7fbCOUHr4_1oHjQOq0j_S_DrZhrEG953stbKIFAL2z5uhPFs0Y5ByFbRLlSn9YzM7hfxcqmugeCUhUAwiiyNyeNgDXLkAH-X9N5YmFSo03jcQuEPU6_y2upRASxg%2526version%253D1.2%2526passThruAttr%253DeventHandler%25253Dbackcatcher&searchinfo%3Dstoppublicites.fr%2520nettoyer%2520son%2520ordinateur%2520stop%2520les%2520publicit%25C3%25A9s%2520intempestives&servetime%3D728&origquery%3Dstoppublicites.fr%2520Nettoyer%2520son%2520ordinateur%2520%2520Stop%2520les%2520publicit%25C3%25A9s%2520intempestives&targetTitle%3D&serveurl%3Dhttp%253A%252F%252Fwww.stoppublicites.fr%252F%253Fpage_id%253D2&adultsearch%3Dfalse&pop%3Dover&attributionDisabled%3Dfalse%22%2C%22time%22:1416831764095%2C%22exited%22:false%2C%22sawExitOverlay%22:false}

I noticed the mention of the cookie value 3e1dd89fdfa706ed2e69a8eccf98cab048d7b661 dating back to 2012.

We're probably dealing with some malicious scanning tool that has this value hardcoded into its cookie-generating code, which is designed to exploit XSS and/or SQL injection vulnerabilities with the goal of redirecting victimized sites' visitors to malicious destinations.

Do you have additional information about this cookie value or would like to share your analysis of this data? Please share your perspective in the discussion forum.

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog.

Keywords:
3 comment(s)

Comments

The string 'interyield.jmp9.com' points to a browser popup malware: http://www.antivirus-blog.com/removal-guides/remove-interyield-jmp9-com-pop-removal/
Looks like someones browser got hijacked...
Could this be the new trend of "Perma Cookies"? Companies such as Verizon & AT&T have been caught using these types of "beacons" and until recently made it difficult to remove them.

Their Perma/ Zombie was picked up as soon as you went into the site would inject on both PC and mobile devices.

Just a thought..

https://www.eff.org/deeplinks/2014/11/verizon-x-uidh

According to Verizon, the header value is a salted hash, and the hash changes on an undisclosed frequency. However, it's easy for third-party ad networks to create a continuous profile by associating old and new X-UIDH values through their own identifier cookie1. Verizon has refused to say what identifier they hash to create the identifier, but their recent patent suggests hashing a phone number. If they are indeed hashing phone numbers, it would be a major cryptographic mistake. Phone numbers can easily be deduced from hashes, so sending those hashes to untrusted web sites is practically equivalent to giving them your phone number.

Here is the latest.

http://pbokelly.blogspot.com/2015/01/verizon-wireless-to-allow-complete-opt.html

"But even if Verizon now allows subscribers to opt-out of having their online activities tracked using a unique customer code, that option may not satisfy privacy advocates who say consumers are unlikely to understand the implications of default tracking. Some say Verizon should have the feature turned off by default and require people to voluntarily switch it on.
Humm, the S.coldsearch.com is a malware, too, so, I disable it manual via a free guide from google http://www.pccaretips.com/blog/get-rid-of-s-coldsearch-com-redirect-virus-permanently.html

Diary Archives