An analysis of the pay-per-install underground economy

USENIX logoA few weeks ago at the USENIX Security Symposium, researchers Juan Caballero, Chris Grier, Christian Kreibich and Vern Paxson presented their paper “Understanding the Underground Economy,” a look into the inner workings of the pay-per-install underground economy.

What is pay-per-install? Security researchers use the term to describe one of the most popular malware distribution methods. In the malware economy, criminals have specialized to perform specific services and contract with one another the same as in the legitimate world.

Amazon Web Services logoFor example, you may be familiar with cloud computing and Amazon’s legitimate EC2 (elastic compute cloud) service, which allows you to rent storage space and computing capacity by the hour.

Similarly, criminals have been compromising PCs and “renting” them out to other criminals to send spam, perform DDoS attacks or install additional malware on them. Criminals adopted cloud computing before most of us had ever heard of the idea.

Pay-per-install (PPI) service providers interact with two other criminal groups, clients and affiliates. Clients have malware they want distributed and affiliates infect people’s computers to distribute the malware. The PPI providers are just brokers.

PPIs provide affiliates with a downloader bot that retrieves instructions on where to go to retrieve the malware they would like to install. All the affiliate needs to do is install the downloader bot.

The paper reveals the amount of money PPIs will pay their affiliates per 1,000 installs of these bots in a given country. The low end hovers around $13 for “other” nations, and at the high end, $110 for Canada and Great Britain, and $150 for the United States.

Gold Install pay-per-install rates

Measuring the malware downloads completed by some of the PPIs, the researchers found that 12 of the top 20 malware families were distributed using this method over the course of their study, which surveyed 1,060,895 samples.

They also measured how frequently the malware binaries and download bots changed in an attempt to evade anti-virus. The malware itself changed every 11 days on average, whereas the download bots changed daily.

Some malware families, like rogue security software/fake anti-virus, changed at least daily and sometimes multiple times per day.

One of the more interesting results of this research was the specific preferences that distributors of different types of malware had for the countries where they install their payloads.

PPI geographic distribution

We can see that Gleishug, which hijacks search engine queries, targets Americans, whereas Rustock, a spam bot, is an equal opportunity exploiter.

Russkill, a DDoS malware, seems to prefer Asian hosts. This could be because the price per thousand victim computers is cheaper, or it could be because the target of the attack is in the region.

The paper provides an interesting glimpse into the inner workings of the criminal underground and shows some of the financial factors we’re up against when we try to eliminate the threat.