• Trials & Downloads
  • Personal / Home Office products
  • Business Products
  • Malware Cleaner
  • Installers
• • Corporate
  • Norge
  • France
  • Deutschland
  • Sverige
  • Danmark
  • Suomi
  • Nederland
  • Schweiz
  • España
  • United States
  • United Kingdom
  • Italia
• About Norman
  • Vision & Values
  • Management Team
  • Our Technology
  • Awards & Certifications
  • Customer Cases
  • Press & Media Center
  • Events
  • Careers
  • Subscribe to newsletter
  • Contact Us

Security Center

The profitable Pay-per-Install ecosystem

2011-06-24 [Malware discussion, Spreading mechanisms, Trends & predictions]

Introduction

The process of creating, distributing and installing malware has over the years become an industry. While one entity previously performed all tasks involved, diversification is becoming increasingly popular.

In several of our security articles, we have stated that the malware business is becoming more and more like legitimate business. See for example these articles:

• Cyber crime imitates legitimate business
• Domain name registration - a malware spreading vector
• Developing malware using the open source approach
• Malicious identity production
• Internet gaming - new opportunities for the (shady) visionary

In this article, we shall examine one ecosystem involved in malware distribution - the "Pay-per-Install" market.

Pay-per-Install - an ecosystem for distribution of malware

Researchers from the U.S. University of California, Berkeley, the Madrid Institute for Advanced Studies in Software Development Technologies in Spain, and the U.S. International Computer Science Institute, recently published a paper about the Pay-per-Install (PPI) system. This study examines the different parties involved in the PPI ecosystem, and makes quite strong statements about the involvement of PPI technology in the total distribution of malware.

We shall in this article focus on the PPI ecosystem and how this is used for malware distribution.

The evolution of malware

Malware was in its early days created by persons who had fame among other malware writers as one of their main motivations. Computer viruses and worms were the most widespread types of malware.

These days the situation is completely different. The main motivation for malware creation is economic gain; either directly (e.g. tricking users to purchase fake antimalware) or indirectly (e.g. industrial espionage). Traditional viruses and worms are replaced by spyware, keyloggers, backdoor programs, and trojans.

The persons and organizations involved in current malware are also different these days. Criminal elements with significant economic muscle are involved in the malware industry. The degree of sophistication has evolved, and software like rootkits and packers are used to hide the malware from discovery.

Specialization

The rationale for specialization in a business process is old. The famous economist Adam Smith advocated the advantages of specialized labor in the late 1770. Thus, it should come as no surprise that specialization is also used in process of creation, distribution and installation of malware.

The PPI participants

The abovementioned research article defines three different participants in the PPI ecosystem:

1. The clients
2. The PPI providers
3. The PPI affiliates

Each of these has well-defined different roles.

The clients

These provide the malicious program that they want to deploy. This malware can be of different types, like fake antimalware, keyloggers, and other types of spyware.

The clients are willing to pay a certain amount of money for successful installation of their malware of a defined set of target hosts (number of hosts as well as their geographical location).

The PPI providers

The PPI providers offer the system for successfully distributing the clients' malware.

They offer successful installation of the clients' malware on the targets (hosts). These targets may defined to be in special regions, and the price varies between regions (U.S. and Western Europe is most expensive, while Asian countries are more inexpensive).

Some PPI providers operates with affiliates, and then gives unique downloader programs to each affiliate.

The affiliates

These receive their profit from the PPI providers based on the number of a particular affiliate's downloader successfully installed on target computers. Thus, the affiliates are unknown to the clients.

Affiliates often operate their own botnet, compromising hosts with their own malware, which in turn downloads and installs the PPI providers "product". Since affiliates may work with several PPI providers, any infected hosts will often be multiply infected with different malware.

Avoiding detection

The success of any malware is to some degree dependant on avoiding detection from antimalware programs.

The malware creators (the clients) as well as the PPI providers therefore use different techniques to avoid detection. The study focuses in particular on program packers as such a technique. Program packers are usually third-party products used to change the size/content in such a way that antimalware products have difficulties in identifying the packed malware.

PPI providers may re-pack the same malware several times durung its life cycle.

Relevance for defending against malware

The study indicates that PPI distribution constitutes a major part of the total distribution of malware. Although we are reluctant to accept that this is quite so big as the study implies, it seems certain that this distribution technique is significant.

An interesting point that the study makes, is therefore that it should be useful for malware defendants to focus on the PPI providers in order to take these down. They are probably fewer than the malware creators (the clients) and their removal from the distribution chain should therefore be of considerable effect.

Reference

• Measuring Pay-per-Install: The Commoditization of Malware Distribution

• Privacy policy
• License agreement
• Trademarks
• Sitemap
• Contact Us

© Norman ASA