The team also found that PPI programs almost always installed bots that engage infected systems in a variety of “click fraud” schemes, involving fraudulent or automated clicks on ads to falsely generate ad revenue.
One unexpected finding may help explain why PCs infected with one type of malware often quickly become bogged down with multiple infections: Downloaders that are part of one scheme often fetch downloaders from another. In other words, affiliates from one PPI service themselves sometimes act as clients of other services. Consequently, many of the installers pushed by affiliates will overwhelm recipient PCs with many types of malicious software.
“We speculate that some of these multi-PPI-service affiliates are arbitrageurs, trying to take advantage of pricing differentials between the (higher) install rates paid to the affiliates of one service for some geographical region versus the (lower) install rates charged to clients of another PPI service,” the researchers wrote.
This dynamic lends an inherent conflict of interest to the PPI market that hurts both clients and affiliates: The more installations an affiliate provides, the larger the payment received. But the more malware is installed, the greater the likelihood that the owner of an infected system will notice a problem and take steps to eradicate the malware.
PPI services have ominous implications for coordinated efforts to shut down botnets. In recent months, security researchers, Internet service providers, and law enforcement agencies have worked together to dismantle some of the world’s biggest botnets. In March, for example, Microsoft teamed with security firms to cripple the Rustock botnet, long one of the most active spam botnets on the planet.
The Berkeley researchers argue that even if defenders can clean up a botnet—by hijacking its control servers and even remotely disinfecting PCs—the controller of that botnet can rebuild it by making modest payments to one or more PPI services.
“In today’s market, the entire process costs pennies per target host—cheap enough for botmasters to simply rebuild their ranks from scratch in the face of defenders launching extensive, energetic takedown efforts,” the researchers wrote.