New research suggests that the majority of personal computers infected with malicious software may have arrived at that state thanks to a bustling underground market that matches criminal gangs who pay for malware installations with enterprising hackers looking to sell access to compromised PCs.
Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims.
The PPI services also attract entrepreneurial malware distributors, or “affiliates,” hackers who are tasked with figuring out how to install the malware on victims’ machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install.
In a new paper researchers from the University of California, Berkeley, and the Madrid Institute for Advanced Studies in Software Development Technologies describe infiltrating four competing PPI services in August 2010, by surreptitiously hijacking multiple affiliate accounts. The team built an automated system to regularly download the installers being pushed by the different PPI services.
The researchers analyzed more than one million installers offered by PPI services. That analysis led to a startling discovery: Of the world’s top 20 types of malware, 12 employed PPI services to buy infections.
“Going into this study, I didn’t appreciate that PPI is potentially the number one vector for badness out there,” said Vern Paxson, associate professor of electrical engineering and computer sciences at UC Berkeley. “We have a sense now that botnets potentially are worth millions [of dollars] per year, because they provide a means for miscreants to outsource the global dissemination of their malware.”
The researchers set out to map the geographic distribution of malware being pushed by these services, so they devised an automated way to download installers. They used services such as Amazon’s EC2 cloud computing platform, and “Tor,” a free service that lets users communicate anonymously by routing their connections through multiple computers around the world, to trick the pay-per-install program into thinking requests were coming from locations around the globe.
The system classified the collected malware by type of network traffic each sample generated when run on a test system. The researchers said they took precautions to prevent affiliate accounts from being credited with the test installations.
The analysis of the PPI services indicates that they most frequently target PCs in Europe and the United States. These regions are wealthier than most others, and offer affiliates the highest per-install rates.
But the researchers surmise that there are factors beyond price that may influence a PPI client’s choice of country. For example, a spambot such as Rustock requires little more than a unique Internet address to send spam, whereas fake antivirus software relies on the victim to make a credit card or bank payment, and thus may need to support multiple languages or purchasing methods.
The team also found that PPI programs almost always installed bots that engage infected systems in a variety of “click fraud” schemes, involving fraudulent or automated clicks on ads to falsely generate ad revenue.
One unexpected finding may help explain why PCs infected with one type of malware often quickly become bogged down with multiple infections: Downloaders that are part of one scheme often fetch downloaders from another. In other words, affiliates from one PPI service themselves sometimes act as clients of other services. Consequently, many of the installers pushed by affiliates will overwhelm recipient PCs with many types of malicious software.
“We speculate that some of these multi-PPI-service affiliates are arbitrageurs, trying to take advantage of pricing differentials between the (higher) install rates paid to the affiliates of one service for some geographical region versus the (lower) install rates charged to clients of another PPI service,” the researchers wrote.
This dynamic lends an inherent conflict of interest to the PPI market that hurts both clients and affiliates: The more installations an affiliate provides, the larger the payment received. But the more malware is installed, the greater the likelihood that the owner of an infected system will notice a problem and take steps to eradicate the malware.
PPI services have ominous implications for coordinated efforts to shut down botnets. In recent months, security researchers, Internet service providers, and law enforcement agencies have worked together to dismantle some of the world’s biggest botnets. In March, for example, Microsoft teamed with security firms to cripple the Rustock botnet, long one of the most active spam botnets on the planet.
The Berkeley researchers argue that even if defenders can clean up a botnet—by hijacking its control servers and even remotely disinfecting PCs—the controller of that botnet can rebuild it by making modest payments to one or more PPI services.
“In today’s market, the entire process costs pennies per target host—cheap enough for botmasters to simply rebuild their ranks from scratch in the face of defenders launching extensive, energetic takedown efforts,” the researchers wrote.