Traffic Distribution System (TDS) On Infected Websites

This malware technique is widely used to monitor and redirect traffic from compromised website to malicious content or paid referrals. In past, we highlighted similar cases in our blog: Blacklisted website used to drive traffic to ‘penny stock website’

Malicious TDS flow

Malicious TDS flow

Malicious Traffic Distribution System diagram



Background

ThreatSign! client received complaint from his customer that his website got blocked when accessed from Google Chrome. 

Malware details

Upon internal malware scan the infection was identified inside WordPress theme. Obfuscated malicious code generated hidden iframe redirecting visitors to TDS from where they got landed on 3d party pages depending on location, web browser type and other parameters. In some cases, user gets redirected to fake Adobe player download page.

Obfuscated Malicious JavaScript Code

Obfuscated Malicious JavaScript Code

Decoded Malicious Iframe

Decoded Malicious Iframe

Malicious Iframe content after the decoding


VirusTotal report : https://virustotal.com/en/url/0a2d7c043097045c7e3ed1e0fb3ca6c48942223a342d66f35afed8f3d365ef3c/analysis/1461252848/

VirusTotal detection rate

Detection rate

Shows the number of vendors that detect malware on VirusTotal list


Malware clean-up

Search for similar code inside your WordPress theme. If you suspect that your website was infected by this or similar malware please select from our Website Anti-malware Monitoring plans and our experts will be happy to clean it up for you.

© 2017 Quttera Ltd. All rights reserved.