Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

New research suggests that the majority of personal computers infected with malicious software may have arrived at that state thanks to a bustling underground market that matches criminal gangs who pay for malware installations with enterprising hackers looking to sell access to compromised PCs.

Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims.

The PPI services also attract entrepreneurial malware distributors, or “affiliates,” hackers who are tasked with figuring out how to install the malware on victims’ machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install.

In a new paper researchers from the University of California, Berkeley, and the Madrid Institute for Advanced Studies in Software Development Technologies describe infiltrating four competing PPI services in August 2010, by surreptitiously hijacking multiple affiliate accounts. The team built an automated system to regularly download the installers being pushed by the different PPI services.

The researchers analyzed more than one million installers offered by PPI services. That analysis led to a startling discovery: Of the world’s top 20 types of malware, 12 employed PPI services to buy infections.

“Going into this study, I didn’t appreciate that PPI is potentially the number one vector for badness out there,” said Vern Paxson, associate professor of electrical engineering and computer sciences at UC Berkeley. “We have a sense now that botnets potentially are worth millions [of dollars] per year, because they provide a means for miscreants to outsource the global dissemination of their malware.”

The researchers set out to map the geographic distribution of malware being pushed by these services, so they devised an automated way to download installers. They used services such as Amazon’s EC2 cloud computing platform, and “Tor,” a free service that lets users communicate anonymously by routing their connections through multiple computers around the world, to trick the pay-per-install program into thinking requests were coming from locations around the globe.

The system classified the collected malware by type of network traffic each sample generated when run on a test system. The researchers said they took precautions to prevent affiliate accounts from being credited with the test installations.

The analysis of the PPI services indicates that they most frequently target PCs in Europe and the United States. These regions are wealthier than most others, and offer affiliates the highest per-install rates.

But the researchers surmise that there are factors beyond price that may influence a PPI client’s choice of country. For example, a spambot such as Rustock requires little more than a unique Internet address to send spam, whereas fake antivirus software relies on the victim to make a credit card or bank payment, and thus may need to support multiple languages or purchasing methods.

2 comments. Share your thoughts »

Credit: Technology Review

Tagged: Computing, hackers, spam, cyber security, botnets, cybercriminals

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me