Traffic direction systems as a factor of targeted infection
Max Goncharov Trend Micro
download slides (PDF)
Directing traffic to cash in on referrals is a common and legitimate method of making money on the Internet. It shouldn't
be surprising that the same is also true in the illegitimate world of cybercrime. So-called traffic direction systems (TDS) have
reached a high level of sophistication and in this paper I will show examples of how such systems work, how they are utilized
by criminals, and what we can do about it.
First, we will see how TDSs work, looking at HTTP header redirection. Next, IFrame and Flash methods will be looked
at and a comparison made.
Criminals try to maximize the effectiveness and profit of their exploits and TDSs are instrumental in this. We shall see
how time, region, as well as installed software influences the TDS. For this we look at various available TDS tools that
TDS is strongly facilitated by malware and by the sort of traffic that is being served or directed. Malware itself may also
be the end result of the TDS: TDS is a vector of malware infection.
What can we do in the AV industry? In analysing TDS-based systems, there are many challenges in sourcing malware samples and
malicious URLS as the TDS is capable of detecting mechanical use and often initiates avoidance tactics. A naive approach to
looking at TDS-based systems will result in bogus results and possibly damage to innocent users. On the flip side, we will also
see how we can protect users by actively detecting TDS systems the user may be entangled in and block the usage of these.