We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Most Malware Tied to 'Pay-Per-Install' Market

A shadowy industry lets spammers and other cybercriminals pay their way into your computer.

New research suggests that the majority of personal computers infected with malicious software may have arrived at that state thanks to a bustling underground market that matches criminal gangs who pay for malware installations with enterprising hackers looking to sell access to compromised PCs.

Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims.

The PPI services also attract entrepreneurial malware distributors, or “affiliates,” hackers who are tasked with figuring out how to install the malware on victims’ machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install.

In a new paper researchers from the University of California, Berkeley, and the Madrid Institute for Advanced Studies in Software Development Technologies describe infiltrating four competing PPI services in August 2010, by surreptitiously hijacking multiple affiliate accounts. The team built an automated system to regularly download the installers being pushed by the different PPI services.

The researchers analyzed more than one million installers offered by PPI services. That analysis led to a startling discovery: Of the world’s top 20 types of malware, 12 employed PPI services to buy infections.

“Going into this study, I didn’t appreciate that PPI is potentially the number one vector for badness out there,” said Vern Paxson, associate professor of electrical engineering and computer sciences at UC Berkeley. “We have a sense now that botnets potentially are worth millions [of dollars] per year, because they provide a means for miscreants to outsource the global dissemination of their malware.”

The researchers set out to map the geographic distribution of malware being pushed by these services, so they devised an automated way to download installers. They used services such as Amazon’s EC2 cloud computing platform, and “Tor,” a free service that lets users communicate anonymously by routing their connections through multiple computers around the world, to trick the pay-per-install program into thinking requests were coming from locations around the globe.

The system classified the collected malware by type of network traffic each sample generated when run on a test system. The researchers said they took precautions to prevent affiliate accounts from being credited with the test installations.

The analysis of the PPI services indicates that they most frequently target PCs in Europe and the United States. These regions are wealthier than most others, and offer affiliates the highest per-install rates.

But the researchers surmise that there are factors beyond price that may influence a PPI client’s choice of country. For example, a spambot such as Rustock requires little more than a unique Internet address to send spam, whereas fake antivirus software relies on the victim to make a credit card or bank payment, and thus may need to support multiple languages or purchasing methods.

The team also found that PPI programs almost always installed bots that engage infected systems in a variety of “click fraud” schemes, involving fraudulent or automated clicks on ads to falsely generate ad revenue.

One unexpected finding may help explain why PCs infected with one type of malware often quickly become bogged down with multiple infections: Downloaders that are part of one scheme often fetch downloaders from another. In other words, affiliates from one PPI service themselves sometimes act as clients of other services. Consequently, many of the installers pushed by affiliates will overwhelm recipient PCs with many types of malicious software.

“We speculate that some of these multi-PPI-service affiliates are arbitrageurs, trying to take advantage of pricing differentials between the (higher) install rates paid to the affiliates of one service for some geographical region versus the (lower) install rates charged to clients of another PPI service,” the researchers wrote.

This dynamic lends an inherent conflict of interest to the PPI market that hurts both clients and affiliates: The more installations an affiliate provides, the larger the payment received. But the more malware is installed, the greater the likelihood that the owner of an infected system will notice a problem and take steps to eradicate the malware.

PPI services have ominous implications for coordinated efforts to shut down botnets. In recent months, security researchers, Internet service providers, and law enforcement agencies have worked together to dismantle some of the world’s biggest botnets. In March, for example, Microsoft teamed with security firms to cripple the Rustock botnet, long one of the most active spam botnets on the planet. 

The Berkeley researchers argue that even if defenders can clean up a botnet—by hijacking its control servers and even remotely disinfecting PCs—the controller of that botnet can rebuild it by making modest payments to one or more PPI services.

“In today’s market, the entire process costs pennies per target host—cheap enough for botmasters to simply rebuild their ranks from scratch in the face of defenders launching extensive, energetic takedown efforts,” the researchers wrote.

Keep up with the latest in cyber security at EmTech Digital.
Don't be left behind.

March 25-26, 2019
San Francisco, CA

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.