Web-Based Malware Distribution Channels: A Look at Traffic Redistribution Systems

Over the last few months we have been trying to look deeper into how Web-based malware gets distributed. A lot has been written about the underground economy and how one can buy exploit kits, such as Blackhole, from underground websites. But once the attacker has bought the exploit kit, how do they infect computers? This blog focuses on a distribution channel that makes use of Traffic Distribution Systems or TDS for short.

How does a TDS work? In a nutshell a TDS vendor buys and sells Web traffic. While this is a very old concept, it has become really popular for exploit delivery over the last few years.

Let’s say you own a website and you want to make money from it. One way you could do that is by having various interesting and contextual links on your page. When a visitor clicks one of these links, the click is redirected to a TDS vendor. Essentially you are selling the click on your website to this TDS vendor, who in turn sells this click or traffic to the highest bidder.

So the attacker, instead of trying to infect websites or purchase stolen credentials, just buys clicks or traffic from these TDS vendors. As long as the conversion rate is good and the attacker earns more than they spend on traffic acquisition, there is profit to be made.

Enterprising attackers are known to buy ad space from popular advertising networks. The click-through URLs of these ads point to the TDS vendors. In fact there is an arbitrage opportunity here. If the user can buy ad space cheaply and resell the clicks to TDS vendors for a slightly higher margin, it ensures profitability. Some websites, such as pornographic or fake search engines, are also known to directly link to a TDS vendor.

Figure 1. URLs that show popular ad networks directing traffic to a TDS vendor.

Technically anyone can buy traffic from a TDS vendor. Sometimes there are secondary and tertiary vendors that buy the traffic and resell it. For example, we often see a popular Russian traffic exchange website buying traffic from these TDS vendors.

Figure 2. Categories of traffic to be bought and sold on a traffic exchange website.

Most of the time, the traffic terminates on a pornographic, gaming, advertisement, or survey website. However, attackers are also known to buy traffic from TDS vendors and redirect the request to malicious websites hosting exploit kits. In these cases, the click terminates at a website containing the malware used in drive-by-download attack.

For the attacker this is easy work. No hacking or purchase of hacked Web servers is necessary. It’s as easy as finding a TDS vendor and buying traffic to the malicious website from them. TDS vendors guarantee a steady stream of traffic to the malicious website. Anyone can become a TDS vendor by purchasing and installing a TDS software package on a Web server, which simply consists of easy-to-install, server-side scripts.
There are many TDS software packages available on the market offering a variety of features. Sutra TDS and TS, Kalisto TDS, and Simple TDS are some of them. For instance, the TDS Sutra package comes with many features, such as weight distribution of target URLs and redirection based on an incoming URL’s geography, proxy, keywords, and detailed statistics. They also provide a feature called “UPTIME_BOT” that is essentially a module for tracking whether the target URL is active and the page doesn’t have any malicious code.

Figure 3. The Sutra 3.4 traffic manager interface.

The TS package (from the same company that makes Sutra TDS and TS) is a management platform for operating a traffic exchange and is described as a universal system for purchase, sale, and distribution of Web traffic. Unlike the TDS package, which is used for redirecting traffic based things like weight, and keywords, the TS package allows the vendor to buy and sell traffic across multiple entities and manage an entire traffic exchange system. The TS system also has a lot of features such as antibot detection (detecting any click bots), Web payments, management of different pay rates per country, support for classifying different traffic types for the buyers, and statistic reporting. The cost of buying these scripts or software packages ranges between US$40 and US$275.

A lot of small-time, grey users are known to install and operate these TDS packages and become TDS vendors. Not all TDS vendors are controlled by attackers or sell their traffic to malicious entities. There are some legitimate TDS vendors as well.

To sum up, here is the process of how a computer gets compromised:

  1. The user visits a legitimate website.
  2. The website displays an ad from one of the ad networks.
  3. The user clicks the ad and is redirected to the TDS.
  4. The TDS redirects the user to the final destination URL. In most cases this is a legitimate website that bought this traffic click. In this case the final destination URL is a website hosting drive-by-download exploits.
  5. The computer is compromised as a result of the drive-by-download exploits.

Although the use of TDS vendors for malware delivery isn’t really a new phenomenon, we are seeing an increase in the use of this technique to deliver drive-by-download exploits. The use of advertisement networks in this chain is also something that we are seeing more of. Legitimate advertising companies need to put better systems in place to vet their buyers.

We advise all our customers to keep their security software up to date and not to click on any links that seem suspicious.