How malware eats cookies - an empirical study of cookies in malware's communication

Presented at VB2015, Oct. 1, 2015, noon (30 minutes)

HTTP cookies are commonly used by websites to store users' information while users are browsing the website. As an efficient mechanism for storing a unique identity for each user, cookies play a fundamental role in user tracking, user authentication and anti-spoofing.

While cookies are so prevalent in normal HTTP traffic, how about the picture in underground traffic? Do malicious servers employ cookies to uniquely identify their evil peers? What is the concealed information between evil peers? In this paper, we conduct an empirical study designed to answer the aforementioned questions. We study malware, the malicious entities that spawn millions of cookies every day, and their below-the-surface logic of using cookies. In particular, we monitor malware samples that generate cookies for their communication. With reference to malware behaviours, we extract the potential encoding and decoding schemes for cookies and discover the underlying meaning of each malicious cookie. Based on that, we propose a set of effective heuristic and real-time detection approaches for identifying malicious traffic among high volumes of live traffic. Our study is conducted on a dataset containing over 10,000 HTTP sessions generated by confirmed malware samples. The evaluation shows our scheme can precisely detect the malicious traffic among our test dataset with lower false positive rates in comparison with our previous detection method.

Presenters:

• Kyle Sanders - Palo Alto Networks
  Kyle Sanders Kyle Sanders has worked in the IT industry for the last 10 years and is currently the team lead for malware research at Palo Alto Networks. His research interests are in automated malware detection, network forensics and code analysis.
• Wei Xu - Palo Alto Networks
  Wei Xu Wei Xu is a security researcher at Palo Alto Networks. His current research interests include web security, network security and security data analysis. His past research works have been published in both academic and in industry circles. He was a speaker at VB2012, VB2014 and BlackHat 2013. He received his B.S. degree and M.S. degree in electrical engineering from Tsinghua University, Beijing, China, in 2005 and 2007 respectively. He obtained his Ph.D. degree in computer science from Penn State University in 2013.
• Zhaoyan Xu - Palo Alto Networks
  Zhaoyan Xu Zhaoyan Xu is a research engineer at Palo Alto Networks. He joined the Palo Alto Networks in 2014, working in the area of Internet security. He earned his Ph.D. degree from Texas A&M University, College Station in 2014. His research interests include web security, malware analysis, detection and system security.

Links:

• https://www.virusbulletin.com/conference/vb2015/abstracts/how-malware-eats-cookies-empirical-study-cookies-malware-s-communication

Similar Presentations:

• Black Hat USA 2016 / HTTP Cookie Hijacking in the Wild: Security and Privacy Implications
• DEF CON 16 (2008) / 365-Day: Active Https Cookie Hijacking
• DEF CON 22 (2014) / Client-Side HTTP Cookie Security: Attack and Defense