An analysis of the pay-per-install underground economy

USENIX logoA few weeks ago at the USENIX Security Symposium, researchers Juan Caballero, Chris Grier, Christian Kreibich and Vern Paxson presented their paper “Understanding the Underground Economy,” a look into the inner workings of the pay-per-install underground economy.

What is pay-per-install? Security researchers use the term to describe one of the most popular malware distribution methods. In the malware economy, criminals have specialized to perform specific services and contract with one another the same as in the legitimate world.

Amazon Web Services logoFor example, you may be familiar with cloud computing and Amazon’s legitimate EC2 (elastic compute cloud) service, which allows you to rent storage space and computing capacity by the hour.

Similarly, criminals have been compromising PCs and “renting” them out to other criminals to send spam, perform DDoS attacks or install additional malware on them. Criminals adopted cloud computing before most of us had ever heard of the idea.

Pay-per-install (PPI) service providers interact with two other criminal groups, clients and affiliates. Clients have malware they want distributed and affiliates infect people’s computers to distribute the malware. The PPI providers are just brokers.

PPIs provide affiliates with a downloader bot that retrieves instructions on where to go to retrieve the malware they would like to install. All the affiliate needs to do is install the downloader bot.

The paper reveals the amount of money PPIs will pay their affiliates per 1,000 installs of these bots in a given country. The low end hovers around $13 for “other” nations, and at the high end, $110 for Canada and Great Britain, and $150 for the United States.

Gold Install pay-per-install rates

Measuring the malware downloads completed by some of the PPIs, the researchers found that 12 of the top 20 malware families were distributed using this method over the course of their study, which surveyed 1,060,895 samples.

They also measured how frequently the malware binaries and download bots changed in an attempt to evade anti-virus. The malware itself changed every 11 days on average, whereas the download bots changed daily.

Some malware families, like rogue security software/fake anti-virus, changed at least daily and sometimes multiple times per day.

One of the more interesting results of this research was the specific preferences that distributors of different types of malware had for the countries where they install their payloads.

PPI geographic distribution

We can see that Gleishug, which hijacks search engine queries, targets Americans, whereas Rustock, a spam bot, is an equal opportunity exploiter.

Russkill, a DDoS malware, seems to prefer Asian hosts. This could be because the price per thousand victim computers is cheaper, or it could be because the target of the attack is in the region.

The paper provides an interesting glimpse into the inner workings of the criminal underground and shows some of the financial factors we’re up against when we try to eliminate the threat.

Firefox 6.0.2 fixes yet more DigiNotar certificate fallout

Firefox 6.0.2 has just come out, adding more protection to that provided by Firefox 6.0.1, which was necessitated by the mess caused by disgraced Dutch web security company DigiNotar.

(DigiNotar is the former Certificate Authority – or so-called “authority” – which managed to issue more than 500 bogus digital certificates in the name of major web properties such as Facebook, Twitter, Microsoft and Google; in the name of intelligence agencies such as the Mossad and the CIA; and even, it seems, in the name of other certifying authorities.)

Firefox 6.0.1 fixed Mozilla Foundation Security Advisory 2011-34, which simply pulled everything to do with DigiNotar from its list of trusted certificates. Loosely speaking, any certificate signed by DigitNotar, or any certificate signed by someone with a certificate signed by DigiNotar, and so ad infinitum, was blown out of the water.

Any website with a certificate bought through DigiNotar therefore become untrusted at once. As Mozilla quite bluntly explained in the 6.0.1 update, “sites using certificates issued by DigiNotar will need to seek another certificate vendor.” And that’s how it should be. A Certificate Authority isn’t supposed to make mistakes of this sort – not at all, let alone to this extent.

However, Firefox 6.0.1 exempted from its blockade any DigitNotar-tainted certificates signed at the root level by the Dutch government itself, using its STAAT DER NEDERLANDEN ROOT CA signing certificate. The Dutch public service was apparently convinced that none of the certificates for which it was the root signatory had been affected by signing irregularities at DigiNotar.

It turned out that the Dutch authorities had not one, but two, Certificate Authorities of its own, and its second root certificate – imaginatively named STAAT DER NEDELANDEN ROOT CA - G2 was not exempted in Firefox 6.0.1.

This was reported as a bug, and Mozilla set about adding an additional exemption for DigiNotar-tainted certificates signed by this CA. This would have reduced the impact of the Firefox certificate blockade on the web services provided by the Dutch authorities.

In the interim, however, the Dutch government changed its mind on this exemption, so the Firefox bugfix changed from “exempt DigiNotar certificates signed by the government CA we left out last time” to “remove the DigiNotar exemption for the government CA we exempted last time.”

This sort of step – vigorously disowning everything tainted by DigiNotar – is aggressive but, in my opinion, necessary. Getting into a certification relationship with company X is like buying shares in company X. If the price goes down, all shareholders lose out simultaneously. If the company goes down, you go down with it.

Let’s see whether this fiasco causes the Dutch authorities to reconsider modern public service buzzwords such as “cloud” and “outsourcing”!

NB. This article was updated following an email from Naked Security reader Boris, who pointed out I hadn’t read the Mozilla bugfix thread all the way through! The 6.0.2 patch doesn’t back off slightly from its previous position of certificate blockage, as I said at first. It actually increases its extent, following the Dutch government’s decision to abandon any certificates with DigiNotar in the signing chain. (Thanks, Boris.) And Dutch reader Beamzer suggested rewording the article to make it clear that the Dutch government’s root certifcates themselves aren’t revoked, just that having the Dutch government as a root signatory no longer exempts your DigiNotar-tainted certificates from being blocked. (Thanks, Beamzer.)

Be the First to Snatch the Coveted iPhone 5

Thanks to Amit Kulkarni for his contributions to this blog.

Since its launch, the Apple iPhone has been on the wish lists of most consumers.  The iPhone 4 has already made an impression in the marketplace, so it is obvious that spammers will make the best of this opportunity.  Symantec observed spam tactics just before the release of iPhone 4 and is expecting an even greater spam volume when iPhone 5 is released to the market.

The next generation of iPhone is expected to hit the market in September and spammers don’t want people to wait until the official release. Below is a sample of spammer hype campaigning to lure people into their trap. As usual, the bait is a survey one has to complete to be eligible to own “this coveted piece of art!”

When clicking on the link provided in the email, the user is redirected to a fake survey page where a few interesting questions related to iPhone are asked.


Some of the conditions that the spammers are requiring of users are:

1) Participants be U.S. residents and at least 18 years of age or older.
2) Participants must complete the rewards bonus survey.
3) On completion, a total of 10 reward offers await participants along with Terms and Conditions.

Finally, on completing the survey, the user is asked to enter his or her email address to claim the iPhone 5.

So, before buying gadgets, check the legitimacy of the offer to avoid being trapped in fake surveys or promotions. Symantec has been effective at jamming such attacks from clogging up users’ inboxes. Visit the Cybercrime Index to find regular updates on current cybercrime.

Microsoft revokes DigiNotar certificates from Windows, Mac users still vulnerable

Windows Update for 2607712Microsoft has just released an update to security advisory 2607712 permanently moving all five of DigiNotar’s root certificates to the “revoked” certificate store.

How is this different than the previous update Microsoft released?

  1. It provides protection for all supported versions of Windows (XP, 2003, Vista, 2008, 7 and 2008R2).
  2. It covers all five root certificates owned by DigiNotar. The previous release only blocked two.
  3. Users are no longer presented with a certificate warning, they are prevented from accessing sites with SSL certificates issued by DigiNotar.

The third point is a particularly important one. Previously users were presented with a dialog asking them if they wish to proceed (which most users click through) as seen below.

IE untrusted certificate warning

Considering the risk involved with these compromised certificates Microsoft has taken the additional step of fully revoking them. This prevents the user from clicking though, effectively blocking all access to sites using DigiNotar keys.

IE revoked certificate block

All Windows users using automatic updates will apply this update and no reboot is required (except for Windows XP). What about the users in the Netherlands? Won’t they be prevented from accessing a lot of secure websites with legitimate certificates from DigiNotar?

Yes. Microsoft has worked with the Dutch authorities to delay the rollout of this update to users in the Netherlands and their territories until next Tuesday (Patch Tuesday coincidentally).

This will give the many .nl websites an opportunity to replace their DigiNotar certificates with something more trustworthy. Users in the Netherlands will not be prevented from applying the update, it simply won’t automatically apply until next Tuesday.

What about Apple users? Well, apparently they are too busy playing Angry Birds and making pictures in Photoshop to worry about pesky certificate issues.

My advice if you run a Mac? Use BootCamp and Windows 7 until Apple decides to provide a patch. Or I guess you could use Firefox (not Chome, it also uses Apple’s KeyChain)…

Thanks to the JoshMeister for correcting me on Chrome using the Apple KeyChain, not its separate list like on Windows and Linux.

Update: Some folks have been asking for more information on this story. Please find the missing piece of the story in these previous posts: