The web provides a number of mechanisms for people to make money. Advertising, per-per-click, referrals, sales – all these mechanisms (and more) have been abused by attackers. Web traffic is money, the ability to control or direct the traffic is power. One of the interesting characteristics of web attacks is the use of ‘traffic control’ systems. I will try to illustrate what I mean with an example.
Regular readers will be familiar with the flowcharts I have used to illustrate how an attack works. Let’s consider a classic driveby attack:
- multiple compromised sites loading content from various pages on a domain controlled by the attacker
- which load content from an attack site
- which hits the victim’s browsers with multiple exploits to install a Trojan
So, familiar territory which we can illustrate as follows:
The top row of nodes represent compromised sites. Globally distributed, and triggering various detections these pages all load content from an attacker site hosted in China. This site then loads exploits from the attack site (highlighted in yellow).
The concept of ‘traffic control’ lies with the middle row of nodes (a page on a site hosted in China). Anyone with control over this page, has the power to control the attack, to dictate which exploits and what payloads the victim will get hit with. I label this the control site therefore.
Monitoring a few of these control sites over time shows some interesting characteristics.
- periodically they flow into different attack sites, changing the nature of the attack
- WHOIS registration information and other details suggest the same groups behind numerous control sites
Illustrating how the control sites change over time is awkward. Presenting a similar flowchart but with different domain names in the nodes does not work well. Showing the attack geographically shows the many-to-one relationships between the compromised sites and the control site very effectively.
Each red dot shows the location of where each of the domains involved in the attack is hosted. Blue lines are shown between compromised sites and the control site. A red line shows the link from the control site to the attack site (hosting the exploits).
I am curious as to the financial role and importance of these control sites. Are they available for hire? An administrator of a control site referenced by lots of compromised sites would be in a perfect position to sell his services. Other hackers could hire ‘redirect time’ in order to hit victims with their malware. Maybe close monitoring of some carefully chosen attacks over time will give us some clues if this business model is in use.