The Web’s classical social-engineering trick of the “missing video codec” tries to lure people into clicking on links or download and install an executable which pretends to be the missing application which is needed in order to watch the movie. The animated picture below is such an example: at first glance, it looks like a typically embedded video which is unable to load. The “picture” states that you’d have to click on it in order to see the movie. And here the lure begins - in this blog entry, we’ll follow it down and outline what kind of traffic management backbones are deployed for malware campaigns nowadays.

In our example the animated image is hosted on a popular blog platform and the link points to a suspicious Flash sample. As a quick analysis reveals, the Flash is compressed and additionally contains some obfuscated JavaScript code to hide its real intention. The script code redirects to another location.

The new location points to a so-called “Traffic Management System”. In this case, if you load the URL several times, the destination rotates and after too many retries you will be always redirected to the homepage of Google. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL.

The redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Another example, which also used Geo-Location, was outlined in this Avert Labs Blog post where a downloader trojan contacted such a system and based on the country, different malware binaries were downloaded.

Such traffic management systems nowadays are configured via web-based administration interfaces. Typically the links for the “incoming traffic” look like http://www.example.com/in.cgi?three or http://www.example.com/in.cgi?default where “three” or “default” stands for different campaign IDs inside the system. A typical rule could look like shown in the following picture.

The administrator is able to define rules for “incoming traffic” which results in different “outgoing traffic” based on different restrictions. For example, the Geo-Location could be used to redirect visitors from a particular country to one location while visitors from another country will be redirected to a different location - just think of localized campaigns targeted to the spoken language in these countries. So users from the United States will not be redirected to a french phishing web site and vice versa.

These traffic management systems can also use more complex rules based on network ranges and the referrer - so lets say that only visitors with a referer from Google will be redirected to a malicious web site as long as the IP address of the visitor doesn’t come from well-known network ranges belonging to security companies.

Why do that? This way, only users searching for the website will get to the malicious redirect, while the websites’ owner or administrator, who usually does not search for it but directly enters the URL into the browser, will see the normal website with no oddities. This helps the attacker to keep the infection under the radar for a longer time.

Other trafic management systems, like shown in the above picture, also feature different logins into the web interface - for the administrator, the “sellers” and the “buyers”. This particular system has different views for sellers of traffic - that is, infected web sites containing an IFRAME that points to the trafic management system -, and buyers of traffic - e.g. the people who run exploit servers and try to install malware on unpatched computers, thus looking for potential victims. Such traffic management systems can be in between the infected web sites and the exploit servers. As you can see in the above picture also payment options can be configured, so the more traffic a seller redirects to a buyer, the more money is paid. With such systems in between, the campaigns can be easily exchanged or the “traffic” can be sold to new buyers which try to install their malware.

So the classical starter, the “missing video codec” trick, can end up in quite a complex system managing modern malware campaigns. Visiting or following a malicious ressource nowadays means that you are redirected based on a complex server-side management system.