What is a TDS (Traffic Director System)?

The idea to write this post came from investigating multiple cases of infections in computers because of the ubiquitous Exploit Kits (EK). A visit to a website that apparently should not carry any risk ended with the user calling the security service because he could not open his files and said that an image appeared on the screen asking him for money to recover his data. And in other cases not even that, because he had become infected with a RAT or a banking Trojan and was not aware of it.

There are simple redirection methods that are implemented directly on the web server. They are options that allow to manage the visits to this website and adapt its behavior to the preferences or characteristics of the visitors.

On the other hand, we can find more complex systems that will allow us much more granularity when it comes to managing the flow of connections to our website, and who are great allies also of SEO specialists. In this section we find the so called TDS or Traffic Director / Direction System.

Concepts

Before proceeding with the description, several concepts should be clarified:

  • SERP (Search Engine Result Page): Search results page, the typical page that we find in response to any search we perform in an online search engine.
  • SEO (Search Engine Optimization): Very briefly, those actions that we perform on a website so that our web appears higher in the SERP.
  • PPI (Pay Per Install): Benefit obtained when a visitor to our website downloads software advertised on that site and installs it on his computer. For each installation a profit percentage is obtained.
  • PPC (Pay Per Click): Benefit by clicking on our link.
  • Malvertising: use of online advertisements to distribute malicious software.
  • Campaign: URL that refers to a particular web page within our website.
  • Stream: The flow that the connections received in a campaign will follow.

TDS. Functionality

These types of systems are a great tool for SEO as they allow users to be redirected to content that is best suited to their preferences, depending on their country of origin, language or the characteristics of the device with which they are connecting to the Internet. In their operation, these systems allow to define schemes that will determine the actions and the path that the connections received will take on a certain page of our web site.

In the market there are commercial TDS like Boss TDS, Keitaro TDS or TDS Sutra, and we can also find some other open source like SimpleTDS. To channel these traffic flows, the TDS use different redirection systems, some based on multiple variables defined in the HTTP protocol and other times created ad hoc to improve the user experience. Some of these ways to redirect web traffic are:

  • Using .htaccess file.
  • HTTP 302
  • iframe within the same page.
  • Form submit.
  • Meta refresh.
  • Code javascript.
  • HTTP 404 redirect.

For managing all that incoming traffic coming from multiple locations and devices, TDS usually have the option of defining filters that help direct traffic depending on certain parameters of the connection, such as:

  • Location, time of day
  • Allows you to define filters by ip addresses or subnets
  • HTTP_REFERER header
  • Depending on browser features: version, language, user_agent, javascript enabled, operating system
  • Cookies
  • If the connection is through a proxy
  • Parameters defined ad hoc, etc.

Daily and without being aware of it, we are users of this type of traffic distribution systems, widely used in advertising campaigns, rotation of ads on pages that we visit regularly, targeted marketing.

More than once we have noticed that since that search for information about that holiday in Paris, ads related to the topic have not stopped appearing on some of the pages we visit; or the typical pop-up window with rising pitch advertising that comes at the most unexpected time.

The TDS, in addition to sending us to unsolicited pages, also record our connection data (IP address, time, operating system, browser, monitor resolution, etc …) that can be used later for new campaigns, market statistics studies, etc.

But every ying has its yang, because there is no tool that does not have a fraudulent use. In this case the TDS are used to facilitate the distribution of malware through the internet, taking advantage of their qualities to make the most of these distribution systems. The mode of operation of these systems is as follows:

  1. Compromise websites. Or buy traffic to another TDS.
  2. Redirect that traffic to an attacker-controlled TDS.
  3. File and redirect the victims to the specific exploit appropriate to the configuration of their device.
  4. Download the exploit and install the malware.
  5. Post exploitation.

To avoid detection and make it difficult to track these downloads, it is possible to link several TDSs between them. The aim is to achieve an economic profitability of these acts through different means:

  • Sale of collected user data.
  • Distribution of EK for later exploitation of infected equipment.
  • Malvertising: Contracting of advertising campaigns. These are malicious ads, usually in the form of Flash, javaScript, or DHTML, which redirect the user to fake web pages or exploit a vulnerability in the client.
  • Distribution of ransomware.

As discussed above, TDS are not malicious elements per se within the Internet ecosystem, as they are very useful for the operation of e-commerce and online marketing, but also constitute a good malware distribution platform.

Because of all this, it is interesting to have mechanisms to detect a misuse of these systems, which entails first detecting the use of TDS and secondly determining if said TDS is being used for criminal purposes by redirecting to a malware website. Some parameters that can guide us when determining that we are before a TDS can be:

  • Structure of the URI.
  • Known file names: go.php,in.cgi.
  • Names of known variables: seoref.
  • Its behavior: redirects, meta-refresh parameters.
  • Feeds received from third parties with malicious URLs.

 Conclusions

TDS are very useful in the normal operation of Internet commerce by improving the user experience and distribution of content, but also has its place in malvertising campaigns and can be an effective method when distributing malware, making a directed and ad hoc distribution depending on the characteristics of the equipment, software, location, etc.

Surfing the internet without proper precautions is becoming a “risk sport“. We are the target of “the good guys” who launch their advertising campaigns against us looking for a site in the market and new customers, but also “bad guys” who seek to take advantage of possible browser failures for their own benefit.

See also in: