The Mystery of a Session Cookie

Published: 2015-03-09
Last Updated: 2015-03-09 21:56:59 UTC
by Lenny Zeltser (Version: 1)
3 comment(s)

An ISC reader sent us a note about a session cookie that has been appearing in web server logs; the cookie contents triggered cross-site scripting alerts from the Web Application Firewall. Across the various HTTP session instances, the cookie contained the same hash: 3e1dd89fdfa706ed2e69a8eccf98cab048d7b661. Other contents of the cookie included references to malicious-looking third-party URLs that contained affiliate IDs.

I came across an HTTP request on my own server from about a month ago, which contained the same hash value. It looked like this:

Cookie: 3e1dd89fdfa706ed2e69a8eccf98cab048d7b661.session={%22id%22:%226fe15833-083e-4364-84ec-e4a5b9f61ad6%22%2C%22evoke%22:%22back%22%2C%22termsType%22:0%2C%22action%22:1%2C%22firstHistory%22:1%2C%22firstUrl%22:%22http://zeltser.com/extracting-swf-from-pdf-using-swf-mastah%22%2C%22firstReferrer%22:%22https://www.google.nl%22%2C%22actionUrl%22:%22https://interyield.jmp9.com/InterYield/rd.do?affiliate%3Dnxldg2&subid%3D36x55x&adCountIntervalHours%3D10&maxAdCountsPerInterval%3D10&snoozeMinutes%3D3&url%3Dhttp%253A%252F%252Frd-direct.com%252Fctrd%252Fclick%252Fnewjump1.do%253Faffiliate%253D67935%2526subid%253D36x55x%2526terms%253Dzeltser.com%252520extracting%252520malicious%252520flash%252520objects%252520from%252520pdfs%252520using%252520swf%252520mastah%2526ai%253DGBGY6n-oRoaZ5DbR3BvafDuwZZBHn_Zj87Ciuqy_NiyMy4vZ9stpcd-fUa2UQ4DNx6GUMEj6KeGzltSVzUDRpVk07lWGpUkMlyMG9WcqGbazGffYI9a0cQ_J3FAxb2mL-WwfCJMawYXUETMOQe_CEk1s2vaRI8fq4K3Py5tve0uM4UPyCump1wSNSctzDKm_Heo-CfJZ22AHKUGAA9vCWhmxe1tlg4XjKiyKsUF9q5zzg0jCAeKNHyDqhsVo3r-FUjUmxQbTjRD772JxVD6l9h6R91sJQv9o_GcfcHebSu6NpGla5Wh9eEto8cK2LGb79D3XJm_Agq05Hvr0gevAXCxfNltsfRuPnXnSpSHU8x8XkZ-Ss54r7j-BHL_RLNOI-V7hnpAV_gx6J0Fsvdm99Qfm_U7AppaCJQNh-x93VU6nqyjUXFeIdB4o-MlIBv_Y51meo4_pheFWvlX_lmT2mSY-aFmozUo630hQoQF19xIdxV3bya--fu7Eb8js_zLzMsVrh8k7aTe-Qu8zttSsUbg9J4ZpCk3H__4EhaNL5yvIbyyRFJJo5cLoDJjlk4Vtln78qFTTrd0j5YN5IdCUmw%2526version%253D1.2%2526passThruAttr%253DeventHandler%25253Dbackcatcher&searchinfo%3Dzeltser.com%2520extracting%2520malicious%2520flash%2520objects%2520from%2520pdfs%2520using%2520swf%2520mastah&servetime%3D15&origquery%3Dzeltser.com%2520Extracting%2520Malicious%2520Flash%2520Objects%2520from%2520PDFs%2520Using%2520SWF%2520Mastah&targetTitle%3D&serveurl%3Dhttp%253A%252F%252Fzeltser.com%252Fextracting-swf-from-pdf-using-swf-mastah%252F&adultsearch%3Dfalse&pop%3Dover&attributionDisabled%3Dfalse&secUntilMidnight%3D61846%22%2C%22time%22:1423666154148%2C%22exited%22:false%2C%22sawExitOverlay%22:false}

References to zeltser.com are normal and non-malicious (that's my server); the mention of "swf-from-pdf-using-swf-mastah" is also normal, because that's the web page that received the malicious request. However, notice the inclusion of an unexpected hostname interyield.jmp9.com and a mention of "adultsearch". 

I came across many mentions of the cookie hash value seen above when searching the web, including the following trigger of a SQL injection WAP alert:

Cookie: 3e1dd89fdfa706ed2e69a8eccf98cab048d7b661.session={%22id%22:%229f835ef2-cd7e-43b9-861e-6de9d5113dd6%22%2C%22evoke%22:%22back%22%2C%22termsType%22:0%2C%22action%22:1%2C%22firstHistory%22:1%2C%22firstUrl%22:%22http://www.stoppublicites.fr/?page_id%3D2%22%2C%22firstReferrer%22:%22https://www.google.fr%22%2C%22actionUrl%22:%22https://www.tr553.com/InterYield/rd.do?affiliate%3Drzbkmax&subid%3D9614_1001_fr&adCountIntervalHours%3D24&maxAdCountsPerInterval%3D12&snoozeMinutes%3D2&url%3Dhttp%253A%252F%252Fcoreclickhoo.com%252Fctrd%252Fclick%252Fnewjump1.do%253Faffiliate%253D66385%2526subid%253D9614_1001_fr%2526terms%253Dstoppublicites.fr%252520nettoyer%252520son%252520ordinateur%252520stop%252520les%252520publicit%2525C3%2525A9s%252520intempestives%2526ai%253Db5mbQSp35CDIM8MtUy8woqtnjjHFnHB3ffZyrAlbZK9_PMF8spIXolWRiMEY4cAutjyO_Z-a2ptbmfky5jNdYyaxu2fuGRTEb59un12-ny0lAw_qXUhQzSUxJBCzXrgkJd0zYz1reyEsi28kqJHrAgWtVWPqLl7e20nbFGEaOaMP8cyITdxlg8UHWWOovjOInL9RMVxLCn4Q8O_vhgR3PV-1G6VlbN8GywCRSOCdAHHy5Tbrf2ft255bQcJe7X1Wp3dKuiuJhdk2bMcsof2lcGTxuMYmBXRHicP-yNREHlIWCM86s1FwLi06ojqqeiEc9Am73WnkvbKR6vv9sAc8bIfUiE8wTm6673h-ouF0GMfyrhuodcvdL33t_7lMjBGMlg-83EFxqtrD968hqVpKWNVaxP7fbCOUHr4_1oHjQOq0j_S_DrZhrEG953stbKIFAL2z5uhPFs0Y5ByFbRLlSn9YzM7hfxcqmugeCUhUAwiiyNyeNgDXLkAH-X9N5YmFSo03jcQuEPU6_y2upRASxg%2526version%253D1.2%2526passThruAttr%253DeventHandler%25253Dbackcatcher&searchinfo%3Dstoppublicites.fr%2520nettoyer%2520son%2520ordinateur%2520stop%2520les%2520publicit%25C3%25A9s%2520intempestives&servetime%3D728&origquery%3Dstoppublicites.fr%2520Nettoyer%2520son%2520ordinateur%2520%2520Stop%2520les%2520publicit%25C3%25A9s%2520intempestives&targetTitle%3D&serveurl%3Dhttp%253A%252F%252Fwww.stoppublicites.fr%252F%253Fpage_id%253D2&adultsearch%3Dfalse&pop%3Dover&attributionDisabled%3Dfalse%22%2C%22time%22:1416831764095%2C%22exited%22:false%2C%22sawExitOverlay%22:false}

I noticed the mention of the cookie value 3e1dd89fdfa706ed2e69a8eccf98cab048d7b661 dating back to 2012.

We're probably dealing with some malicious scanning tool that has this value hardcoded into its cookie-generating code, which is designed to exploit XSS and/or SQL injection vulnerabilities with the goal of redirecting victimized sites' visitors to malicious destinations.

Do you have additional information about this cookie value or would like to share your analysis of this data? Please share your perspective in the discussion forum.

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog.

Keywords:
3 comment(s)
Diary Archives