Security researcher reveals the new face of cybercrime: pay-per-install

The methodology behind PPI is similar to pay-per-click advertising, Infosecurity notes, except that the results are far from benign, with cybercriminals then renting out access to the swarms of infected PCs to stage DDOS attacks and/or spam generation.

According to Krebs, PPI services are advertised on underground web forums, with clients submitting their malware - which can be a spambot, fake antivirus software, or a password-stealing trojan onto the PPI service.

The service, he claims, then charges rates from $7.00 to $180.00 per thousand successful installations, depending on the requested geographic location of the desired victims.

The third-party affiliates then go off an install their malware using a variety of methodologies but, says the researcher, they are only paid on successful infections, with tracking taking place using a code identifier built into the malware itself.

"In a new paper, researchers from the University of California, Berkeley, and the Madrid Institute for Advanced Studies in Software Development Technologies describe infiltrating four competing PPI services in August 2010, by surreptitiously hijacking multiple affiliate accounts", says Krebs in his latest security blog.

"The team built an automated system to regularly download the installers being pushed by the different PPI services", he added.

Krebs goes on to say that the researchers analysed more than a million installers offered by PPI services. That analysis led to a startling discovery: Of the world's top 20 types of malware, 12 employed PPI services to buy infections.

Or to put it another way, Infosecurity notes, 60 per cent of the world's top malware use PPI to achieve its infections, a process that, the researcher claims, be worth tens of millions of dollars a year in commission payments.

By analysing the level of infections, Krebs says that the research teams have identified that the most popular infection targets are PCs in Europe and the US, owing to the fact that regions are wealthier than most others, and offer affiliates the highest per-install rates.

"But the researchers surmise that there are factors beyond price that may influence a PPI client's choice of country", he says.

"For example, a spambot such as Rustock requires little more than a unique internet address to send spam, whereas fake antivirus software relies on the victim to make a credit card or bank payment, and thus may need to support multiple languages or purchasing methods", he adds.

What’s Hot on Infosecurity Magazine?