Sites like Amazon offer affiliate programs that pay users for sending them new customers. And now, malware authors, always quick to adopt tactics that work elsewhere, have developed their own affiliate program, which was described in a talk given today at the Black Hat DC computer security conference in Washington, DC.

Kevin Stevens, an analyst at Atlanta-based security consulting company SecureWorks, says sites with names like "Earnings4U" offer to pay users for each file they can install on someone else's PC; the practice is called "pay per install." Stevens found sites offering rates ranging from $180 per 1,000 installs on PCs based in the U.S. to $6 per 1,000 installs on PCs based in Asian countries.

As he researched the practice, Stevens says he discovered a number of companies engaged in pay per install. These companies periodically change their names to dodge the authorities. He also found forums where users shared tips for making more money, and a variety of sophisticated tools developed to make it easier for them to install malware. "It's almost like a real, legitimate business," he said.

People who sign up for the affiliate programs often download "malware cocktails" that they then try to distribute as widely as possible. One common technique is to combine the malware with a video and offer it for download on a peer-to-peer file sharing site. Another is to host the malware somewhere on the Web, and use search engine optimization techniques to attract traffic to it.

Stevens outlined several types of software that a malware affiliate can use. "Crypters," for example, are programs that mask malware from antivirus programs. One popular crypter costs about $75 initially, and then $25 to buy fresh pieces of code that keep the malware masked once antivirus programs have begun to recognize the original. Stevens estimates that it's possible to get by for two to three weeks on each such update.

For about $225, a malware affiliate can multiply his earnings by obtaining a Trojan download manager. This program allows him to pump multiple malware cocktails into each infected PC, getting paid for each one on each compromised computer. One Trojan download manager comes with add-ons that allow a user to harvest e-mail addresses from an infected system, which could then be used to send spam or phishing messages.

Stevens estimates that some of the larger companies offering pay-per-install programs are responsible for about 2.8 million malware installs each month.

In separate presentations at the Black Hat computer security conference in Las Vegas this week, two researchers revealed flaws with the system that protects credit card and password transactions online.

The Secure Socket Layer (SSL) protocol implements the padlock that appears in a browser's address bar--an outward symbol that the underlying communication between browser and server is secure and that the Web page is what it claims to be.

Dan Kaminsky and Moxie Marlinspike separately demonstrated a number of problems with SSL, some immediate and some that could become an issue within the next 18 months. Some of these issues are caused by inconsistencies in how SSL is implemented in the browser compared with how SSL is implemented by the certificate authorities that form the backbone of the system.

Rumblings about this infrastructure have been going on for some time--late last year, researchers Alexander Sotirov and Marc Stevens showed that an outdated algorithm could undermine the system. Later, Marlinspike released a tool that an attacker could use to capture supposedly secure information.

Later today at Black Hat, Sotirov plans to show further problems with "extended validation" SSL certificates, which are supposed to provide a more secure version of the system.

Last year at Black Hat, Kaminsky revealed a major flaw affecting a vital piece of Internet infrastructure that matches website addresses to the servers that hosts their pages. Kaminsky said in a press conference yesterday that the "creaking" of the SSL infrastructure is a sign that it's time to look for a new solution. He suggests DNSSEC, a protocol meant to secure the system for looking up website addresses. Kaminsky believes that it could be designed to guarantee a page's identity at the same time it links a user to a requested server. Other researchers, however, including some of Kaminsky's collaborators, don't agree that DNSSEC is the solution, and think there are ways to bolster SSL without discarding it.

Regardless of how people decide to fix the problems revealed at Black Hat, the takeaway is that much of the infrastructure supporting the Internet is straining with the weight of unintended responsibility.

Money from the United States' stimulus package is flowing into the energy industry, in part to improve the infrastructure for delivering electricity by adding "smart meters" to homes. But security researchers say the dollars are flowing too fast, without enough attention to security.

Mike Davis, a senior security consultant at the Seattle-based security research company IOActive, tested several varieties of the new meters and presented some of his findings yesterday at Black Hat, a computer-security conference in Las Vegas.

Davis explains that smart meters contain a radio chip and mesh networking software that enable them to automatically report customers' energy use, automatically update the software running the devices, and have remote controls that allow a utility to shut off a customers' electricity over the network. Previously, meters have been able to report energy use wirelessly, but it required using a short-range signal that could be picked up from a utility company vehicle as it drove by. The new meters are more automated, and could operate with less human intervention, Davis says.

With the influx of stimulus dollars, Davis says, a lot of companies have huge lists of features they want to add to the meters. There is also a high level of competition between manufacturers so products are being rushed to market, he says.

Of particular concern to Davis are commands that allow remote control over consumers' meters. Though individuals have long tried to hack into their meters to save themselves a few dollars, the results of remote control could have a broader effect. "This generation of smart meters is probably not mature enough to handle the remote disconnect feature," he says.

Though Davis is not at liberty to disclose what brands of meters he tested, he says that, for one brand, he was able to design a worm that he could install in one meter and propagate through the network. In simulations, Davis calculated that, in a region where 100 percent of homes have a smart meter installed, the worm could infect some 15,000 meters in the span of 24 hours. Once the worm spreads, an attacker could use it to give commands to the infected meters such as to shut down.

Davis says all the meters he has tested have security flaws that need further examination before the devices are widely deployed. "Cleaning up from a compromise is going to be expensive and slow," he says, and it's better to fix as much as possible before that happens.

Davis is not the only one investigating the security of smart meters. Security researcher Travis Goodspeed also presented at Black Hat his attacks on some of the chips that typically go into smart meters (Goodspeed specializes in chips that use the Zigbee protocol, a communications protocol that's typically used for the low-power digital radios found in smart meters). Goodspeed believes that the chips need more work. "The Zigbee chips presently available are not secure against a local attack," Goodspeed says, meaning that, if an attacker can get access to a device, he believes the attacker can compromise it.

Davis believes better security is possible on the devices. For example, he suggested that the meters themselves could be programmed to detect and report anomalies in the network. In his talk, Davis said, "Customers need to pressure their utilities to make conservative choices when it comes to the security of their meters."