Posts tagged “TDS”

Traffic Direction Systems



Traffic Direction Systems (TDS) are used as landing pages that direct traffic to malicious content based on a variety of criteria such as operating system, browser version and geographic location. There are a variety of TDS systems available including Sutra TDS (www.kytoon.com/sutra-tds.html). Finjan posted an interesting analysis of one campaign (it no longer appears to be available) in which they tracked the use of the TDS through from the use of a malicious iframe embedded in a compromised website to an exploit pack that attempts to compromised the user based on the types of (vulnerable) software the user has installed.

The statistics pages of some of sites using SUTRA TDS (home-sd.com, sutbizka.ru and new-xmading.ru) were retrieved from the Google cache.

home-sd.com (stolencinema@hotmail.com)

sutbizka.ru (riko246@bk.ru)

new-xmading.ru (riko246@bk.ru)

I found it interesting that the highest percentage of traffic to sutbizka.ru and new-xmading.ru was from Russia. The top referrers were generally porn sites and pay-per-click sites. Pay-per-click sites are an important part of converting botnet traffic into income. In a great two-part post (Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks and Making a Million, Part Two—The Scale of the Threat) Trend Micro explores the relationship between these pay-per-click traffic brokers, click fraud and botnets.

Two of the top referrers to sutbizka.ru and new-xmading.ru were pay-per-click brokers media-click.ru and protizer.net.

Now, its not entirely clear what activities home-sd.com, sutbizka.ru and new-xmading.ru are engaged in, but some additional searches revealed connections with malicious activity.

For example, the email address used to register home-sd.com (stolencinema@hotmail.com) was also used to register sespeed.info which Malware URL has linked to the distribution of RogueAV/FAKEAV software. The email address used to register sutbizka.ru and new-xmading.ru (riko246@bk.ru) has been linked to several trojans by MalwareDomainList.com.

While there are malicious activities associated with common IP addresses and email addresses it is important to note that the details of linkages between all the activities remain unclear. Domain names registered with one email address maybe sold to or used by someone else. Moreover, many malicious sites may be hosted on a single IP address especially when one can purchase crimeware-friendly hosting. So, while the activity can be located within concentrations of malicious activity, and it makes sense to cluster this activity, it is important to remember that there are complex linkages between criminal actors in the malware ecosystem.