HTTP cookies are commonly used by websites to store users' information while users are browsing the website. As an efficient mechanism for storing a unique identity for each user, cookies play a fundamental role in user tracking, user authentication and anti-spoofing.
While cookies are so prevalent in normal HTTP traffic, how about the picture in underground traffic? Do malicious servers employ cookies to uniquely identify their evil peers? What is the concealed information between evil peers? In this paper, we conduct an empirical study designed to answer the aforementioned questions. We study malware, the malicious entities that spawn millions of cookies every day, and their below-the-surface logic of using cookies. In particular, we monitor malware samples that generate cookies for their communication. With reference to malware behaviours, we extract the potential encoding and decoding schemes for cookies and discover the underlying meaning of each malicious cookie. Based on that, we propose a set of effective heuristic and real-time detection approaches for identifying malicious traffic among high volumes of live traffic. Our study is conducted on a dataset containing over 10,000 HTTP sessions generated by confirmed malware samples. The evaluation shows our scheme can precisely detect the malicious traffic among our test dataset with lower false positive rates in comparison with our previous detection method.