Microsoft team discovers malicious cookie-forwarding scheme

The scheme could clandestinely forward stolen session cookies to zombie machines in botnets that could use them to gain unauthorized access to websites

Microsoft researchers checking how easy it is to identify users by analyzing commonly collected Web-log data incidentally discovered a cookie-forwarding scheme that can be used to aid session hijacking.

If put into play, the scheme could clandestinely forward stolen session cookies to individual zombie machines in botnets that could use them to gain unauthorized access to websites, according to their research paper "Host Fingerprinting and Tracking on the Web: Privacy and Security Implications" (PDF).

[ Windows 7 is making huge inroads into business IT. But with it comes new security threats and security methods. InfoWorld's expert contributors show you how to secure the new OS in the "Windows 7 Security Deep Dive" PDF guide. ]

Using data about hundreds of millions of devices that connected to Hotmail during August 2010, the researchers found a certain percentage that connected from more than one Internet AS (Autonomous System) -- a large collection of related IP addresses, usually under the control of a large organization like a service provider, corporation or university.

RELATED: The data breach quiz

By tracking cookies that Hotmail issued to these devices, the researchers concluded that most of them were legitimate and were likely mobile or using VPNs, hence the changing location of their IP addresses.

But they also found a small group of cookies exhibiting abnormal behavior. A single IP address in Denmark was logging into a large number of Hotmail accounts. The Hotmail cookies sent to those users were then being reused to gain access from IP addresses in multiple ASs in the U.S., apparently having been shipped to those IP addresses via a covert channel, the researchers say.

The Hotmail accounts being logged into were all created on the same day, with the same user age, location data, and scripted naming patterns. The researcher concluded they were bot user accounts.

They had two possible explanations for these activities. First, some Web mail providers flag an account as suspicious if it logs in from multiple geographic locations in a short time span. This type of activity could circumvent that. Spreading the cookies around could let attackers access accounts without explicitly logging in, thereby reducing the likelihood of detection.

Second, attackers may be using the bot accounts and cookie forwarding to see how effectively they can gain access to accounts in general, as preparation for using the method against real users and real accounts.

The researchers say analyzing mobility patterns by using anonymized data gathered from service providers can be a valuable method of detecting this type of stealthy attack.

Read more about wide area network in Network World's Wide Area Network section.

This story, "Microsoft team discovers malicious cookie-forwarding scheme" was originally published by Network World.


Copyright © 2012 IDG Communications, Inc.