New research suggests that the majority of personal computers infected with malicious software may have arrived at that state thanks to a bustling underground market that matches criminal gangs who pay for malware installations with enterprising hackers looking to sell access to compromised PCs.

Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims.

The PPI services also attract entrepreneurial malware distributors, or "affiliates," hackers who are tasked with figuring out how to install the malware on victims' machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install.

In a new paper researchers from the University of California, Berkeley, and the Madrid Institute for Advanced Studies in Software Development Technologies describe infiltrating four competing PPI services in August 2010, by surreptitiously hijacking multiple affiliate accounts. The team built an automated system to regularly download the installers being pushed by the different PPI services.

The researchers analyzed more than one million installers offered by PPI services. That analysis led to a startling discovery: Of the world's top 20 types of malware, 12 employed PPI services to buy infections.

"Going into this study, I didn't appreciate that PPI is potentially the number one vector for badness out there," said Vern Paxson, associate professor of electrical engineering and computer sciences at UC Berkeley. "We have a sense now that botnets potentially are worth millions [of dollars] per year, because they provide a means for miscreants to outsource the global dissemination of their malware."

The researchers set out to map the geographic distribution of malware being pushed by these services, so they devised an automated way to download installers. They used services such as Amazon's EC2 cloud computing platform, and "Tor," a free service that lets users communicate anonymously by routing their connections through multiple computers around the world, to trick the pay-per-install program into thinking requests were coming from locations around the globe.

The system classified the collected malware by type of network traffic each sample generated when run on a test system. The researchers said they took precautions to prevent affiliate accounts from being credited with the test installations.

The analysis of the PPI services indicates that they most frequently target PCs in Europe and the United States. These regions are wealthier than most others, and offer affiliates the highest per-install rates.

But the researchers surmise that there are factors beyond price that may influence a PPI client's choice of country. For example, a spambot such as Rustock requires little more than a unique Internet address to send spam, whereas fake antivirus software relies on the victim to make a credit card or bank payment, and thus may need to support multiple languages or purchasing methods.