Max Goncharov Trend Micro
download slides (PDF)
Directing traffic to cash in on referrals is a common and legitimate method of making money on the Internet. It shouldn't be surprising that the same is also true in the illegitimate world of cybercrime. So-called traffic direction systems (TDS) have reached a high level of sophistication and in this paper I will show examples of how such systems work, how they are utilized by criminals, and what we can do about it.
First, we will see how TDSs work, looking at HTTP header redirection. Next, IFrame and Flash methods will be looked at and a comparison made.
Criminals try to maximize the effectiveness and profit of their exploits and TDSs are instrumental in this. We shall see how time, region, as well as installed software influences the TDS. For this we look at various available TDS tools that are available.
TDS is strongly facilitated by malware and by the sort of traffic that is being served or directed. Malware itself may also be the end result of the TDS: TDS is a vector of malware infection.
What can we do in the AV industry? In analysing TDS-based systems, there are many challenges in sourcing malware samples and malicious URLS as the TDS is capable of detecting mechanical use and often initiates avoidance tactics. A naive approach to looking at TDS-based systems will result in bogus results and possibly damage to innocent users. On the flip side, we will also see how we can protect users by actively detecting TDS systems the user may be entangled in and block the usage of these.
