Traffic direction systems as malware distribution tools
(Publication) Google search: [1]
Traffic direction systems as malware distribution tools | |
---|---|
Botnet | |
Malware | |
Botnet/malware group | |
Exploit kits | Sutra TDS, IL TDS, Simple TDS, Advanced TDS, Kallisto TDS, CrazyTDS |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2011 / 2011-12-12 |
Editor/Conference | Trend Micro |
Link | http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt malware-distribution-tools.pdf (Archive copy) |
Author | Maxim Goncharov |
Type | Tech report |
Abstract
“ Directing traffic to cash in on referrals is a common and legitimate method of making money on the Internet. It should not, therefore, be surprising for the same to be true in the illegitimate world of cybercrime. So-called traffic direction systems (TDSs) have reached a high level of sophistication. This research paper will show how such systems work, how these are utilized by cybercriminals, and what the security industry can do about this.
First, we will take a look at how TDSs work by looking at HTTP header redirection. Then we will look at and compare how TDSs use iframes and Flash-based applications to distribute malware. Cybercriminals try to maximize the effectiveness of TDSs in order to profit as much as possible from their exploits. This paper will also show how time, region, and installed software influence TDSs by looking at the various tools that are currently available in the market. Cybercriminals strongly utilize TDSs to determine traffic type, which will aid them in directing users to certain malicious sites and in determining what malicious payloads to execute on particular systems. Some malware may also be the end result of a particular TDS’s series of redirections, making it a malware infection vector. What then can we do as part of the security industry?
TDSs present several challenges with regard to malware sample sourcing and malicious URL detection, as these are capable of detecting the use of security tools and often initiate avoidance tactics. A naïve approach to looking at TDSs may, therefore, result in bogus findings and possible damage to the systems of innocent users. This paper will show how we can protect users by actively detecting and blocking the TDSs they may be entangled in.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR4492, editor = {Trend Micro}, author = {Maxim Goncharov}, title = {Traffic direction systems as malware distribution tools}, date = {12}, month = Dec, year = {2011}, howpublished = {\url{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_malware-distribution-tools.pdf}}, }