Inside the Pay-Per-Install Malware Economy

Secureworks researcher Kevin Stevens has written a must-read article on the Pay-Per-Install business model (PPI) that is used primarily to spread spyware and malware. 
The article discusses the way the affiliate system works, with layers of files and software programs that power the installation of malware on hijacked Windows computers.

Stevens provides considerable details on the methods and tools used by cyber-criminals, the seedboxes and crypters that are used to get around anti-malware detection and the clever black hat SEO (Search Engine Optimization) techniques used in social engineering attacks.

An example of one affiliate program:

The first PPI site CTU investigated was called InstallsCash, which seems to have changed its name to Earning4u.  When it was doing business as InstallsCash, this site claimed to count affiliate installations in realtime and claimed that it was not shaving its affiliate’s install counts. InstallsCash only pays in increments of 1000 installs. Payments are $140 for U.S. computers, $110 for the U.K., $60 for Italy, $30 for France, and $6 for any computer in Asia (per thousand installs). Affiliates can be paid via Fethard, Webmoney, Wire, Western Union, MoneyGram, Anelik, and EPassporte. The site claims that running the InstallsCash file on a victim’s computer installs a toolbar and a dialer. A dialer enables the victim’s computer to automatically ‘phone home’ or go to a specified web site. InstallsCash claims that the dialer launches 15 to 30 minutes after the initial execution.

The article includes screenshots and provides grisly details on how this underground economy operates.   Read it in full here.

Suggested articles