Video Screencast Help
Security Response

Cookie Stuffing and W32.Pilleuz

Created: 25 Nov 2010 20:09:07 GMT • Updated: 23 Jan 2014 18:23:50 GMT • Translations available: 日本語
Eoin Ward's picture
+1 1 Vote
Login to vote

Over the last year, Symantec has blogged on the rise and fall of the Mariposa botnet. (What we detect as W32.Pilleuz.) Today, we’re going to talk about an interesting aspect of this threat—the ability to perform “cookie stuffing”. 

As delicious as it sounds, cookie stuffing is one of the subtler money spinning techniques used by malware writers. In order to explain the technique, let’s first look at the marketing model upon which it relies—affiliate marketing.

Let’s say I enjoy triathlons and that I’m a member of a “Symantec Triathlon Club” with the Web site symtriclub.com. This club is sponsored by fictional bike store that runs examplebikestore.com. If I see a link to examplebikestore.com while on symtriclub.com, click on it, and then make a purchase, the club gets a small commission, since they effectively provided advertising for the cycle shop on their Web site.

In the above example, the club serves as an affiliate to the cycle shop and the purchase is known as a qualified transaction. A qualified transaction is not necessarily a purchase—it could be as simple as signing up for a newsletter or an account. A Web site may have many affiliates and use various methods to credit any particular one with a commission. “Last X days” is one such scheme. If the user makes a qualified transaction within 'X' days of having been referred from your Web site, then you will receive a commission.

But if many people visit examplebikestore.com from different locations, how does the site know which affiliate should get the commission?  Cookies are one way to manage affiliate identification. As the browser navigates to 

examplebikestore.com from symtriclub.com, a cookie containing the affiliate ID of the symtriclub.com is dropped and the destination Web site pays a commission to that affiliate.

W32.Pilleuz can utilize something called “cookie stuffing” to leverage this affiliate marketing model for the bot owners’ gain. The bot herders can update their network of infected machines with new affiliate cookies for a myriad of legitimate companies. Then, if any of the compromised computers makes a qualified transaction, the herder gets the commission.  

This would not only defraud the genuine affiliate by robbing them of their commission but also the online store operators by making them pay commission for a transaction that is not affiliate-based.

Botnet cookie-stuffing means that the user doesn’t have to have bad browsing habits in order to become infested with these affiliate cookies. As the bot resides on the compromised computer, it can renew cookies periodically, as well as add new ones.

So why should a normal user care about cookie stuffing? It’s only the stores that are losing money, right? Not necessarily. In taking extra commission from online stores, cookie stuffing effectively drives up their bottom line. In turn, these stores will likely pass on the extra cost to the consumer. It will also divert commission from genuine affiliates who may rely heavily on it for extra income.

Here’s how it’s done. Each browser handles cookie management differently and W32.Pilleuz has code to cater for both Internet Explorer and Mozilla Firefox. In Firefox, all the cookie information is stored in the following SQLite database:

%AppData%\Mozilla\Firefox\Profiles\[RANDOM CHARACTERS].default\cookies.sqilte

The database contains one big table called “moz_cookies” that contains all your cookies. The following code snippet shows the threat building a string to insert a new cookie into the “moz_cookies” table.  The newly inserted cookie would contain theaffiliate_reference_id of the herder.

When dealing with Internet Explorer the threat uses the InternetSetCookieA API.
This API takes three parameters :

  • lpszUrl[in] (A pointer to a URL string.)
  • lpszCookieName[in] (A pointer to a name string.)
  • lpszCookieData [in] (A pointer to the data to be associated with the URL.)

The following code snippet shows the building of the URL string, the building of the data string, and finally a call to InternetSetCookieA. The data string will contain an up-to-date, last access time and expiration date and the affiliate_reference_id of the bot herder so they will receive their defrauded commission.

So update your definitions, not only for your own safety, but for the safety of online affiliates around the world who may be struggling this holiday season!

Thank you to Stephen Doherty, Yousef Hazimee, and Sean Kiernan for their assistance.