Traffic direction systems as a factor of targeted infection

Max Goncharov Trend Micro

Directing traffic to cash in on referrals is a common and legitimate method of making money on the Internet. It shouldn't be surprising that the same is also true in the illegitimate world of cybercrime. So-called traffic direction systems (TDS) have reached a high level of sophistication and in this paper I will show examples of how such systems work, how they are utilized by criminals, and what we can do about it.

First, we will see how TDSs work, looking at HTTP header redirection. Next, IFrame and Flash methods will be looked at and a comparison made.

Criminals try to maximize the effectiveness and profit of their exploits and TDSs are instrumental in this. We shall see how time, region, as well as installed software influences the TDS. For this we look at various available TDS tools that are available.

TDS is strongly facilitated by malware and by the sort of traffic that is being served or directed. Malware itself may also be the end result of the TDS: TDS is a vector of malware infection.

What can we do in the AV industry? In analysing TDS-based systems, there are many challenges in sourcing malware samples and malicious URLS as the TDS is capable of detecting mechanical use and often initiates avoidance tactics. A naive approach to looking at TDS-based systems will result in bogus results and possibly damage to innocent users. On the flip side, we will also see how we can protect users by actively detecting TDS systems the user may be entangled in and block the usage of these.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

SMI Oil and Gas Cyber Security 2014

Virus Bulletin
In this month's magazine:
  • VBSpam comparative review March 2014
  • VB100 comparative review on Ubuntu Server 12.04LTS
  • The shape of things to come
  • Threat intelligence sharing: tying one hand behind our backs
  • The curse of Necurs, part 1
  • More fast or more dirty?
  • Tofsee botnet
  • Back to VBA
  • Is the security industry up to the new challenges to come?
  • Greetz from academe: No place to Hyde
Virus Bulletin 04 2014
Subscribe now!

Virus Bulletin currently has 231,307 registered users.