In a Recent years It is observed that an extensive diversification of the economy associated with malware and the subversion of Internet-connected systems.We can call this economy driven by malware as “underground economy”. This trend towards specialization has compelling forces driving it. Criminals readily apprehend that tackling the entire value-chain from malware creation to monetization in the presence of ever evolving countermeasures poses a daunting task requiring highly developed skills and resources. As a result, entrepreneurial minded criminals have formed pay-per-install (PPI) services. Which are specialized organizations that focus on the infection of victims’ systems.
As a result, market forces foster a service culture that has brought about a wide range of specialized providers for all stages in the malware-monetization lifecycle , such as malware toolkits , packing tools to evade antivirus (AV) software , bullet-proof hosting and forums for buying and selling illegally acquired gains.
At the heart of this ecosystem lies the infection of victim computers. Virtually every enterprise in this market ultimately hinges on access to compromised systems. To meet the demands for wholesale infection of Internet systems, a service called pay-per-install (PPI) has risen. Such PPI services play a key role in the modern malware marketplace by providing a means for criminals or miscreants to outsource the global dissemination of their malware. Criminals or Miscreants simply determine the raw number of victim systems (which can also include specific geographical distribution, as per requirement) that fits within their budget, supply a PPI service with payment and malware executables of the miscreants’ choice, and in short order their malware is installed on thousands of new systems. In today’s market, the entire process costs pennies per target host that is cheap enough for botmasters to simply rebuild their ranks from scratch in the face of Cyber security specilists performing roles as defenders launching extensive, energetic,take-down efforts on PPI services.
It is worth mentioning here about a rate at which malware makers repack their wares to evade hash-based signatures. And you are surprised to know that on average, they repack specimens every 11 days, and some malware families repack up to twice a daily.
Also the particulars of how different PPI services interact with their affiliates, includes surprising evidence, suggesting that some affiliates who sell installs to a particular PPI service not only buy installs from rival PPI services, but also from the very service to which they sell installs—apparently to exploit arbitrage.So business competition is in progress.
An Overview of Pay-Per-Install
The PPI market, consists of (03) three main actors: clients, PPI providers (or services), and affiliates. Lets have a look at them one by one.
Clients
Clients are entities that want to install programs onto a number of target hosts. They wish to buy installs of their programs. The PPI provider receives money from clients for the service of installing their programs onto the target hosts, where installation comprises distributing the programs to the target hosts, executing the client programs, and tracking successful executions for accounting.
PPI Provider
The PPI provider develops a program, called a downloader, that retrieves and runs client’s executables upon installation. The PPI provider may conduct the installation of the downloader itself or may outsource distribution to third parties called affiliates.
Affiliates
When a provider has affiliates, the provider acts as a middle man that sells installs to the clients while buying installs from affiliates that specialize in some specific distribution method (e.g., bundling malware with a benign program and distributing the bundle via file-sharing networks; drive-bydownload exploits; or social engineering). PPI providers pay affiliates for each target host on which they execute the provider’s downloader program. Once the downloader runs, it connects to the PPI provider to download the client programs. If the PPI provider does the distribution itself, we call the service a direct PPI service. If the PPI provider runs an affiliate program, we call it an affiliate PPI service.
Typical Transactions Steps in PPI Market
The typical transactions in the PPI market.
1. PPI clients provide software they want to have installed, and pay a PPI service to distribute the software .
2.The PPI service conducts downloader infections itself or employs affiliates that install the PPI’s downloader on victim machines.
3.The PPI service pushes out the client’s executables
4. Affiliates receive commission for any successful installations they facilitated .
In general, both reputable and not-so-reputable entities use PPI services. In this article we have focused on the use of PPI services as a distribution mechanism for malware,e.g., bots, trojans, fake AV software, and spyware. Hereafter we use the term PPI providers to refer exclusively to those providers that perform or facilitate silent installs.
PPI EcoSystem
Now in order to describe the PPI ecosystem in terms of the transactions that take place between clients and PPI providers, and between PPI providers and their affiliates; lets take a look at the set of activities happening at each teir of PPI nodes identified as clients,affliates and providers.
Clients.
Clients profit from the malicious activities enabled by malware they want to deploy on target hosts,such as click fraud, stealing user information (e.g., credit card numbers, credentials), or selling software to the user under false pretense (e.g., fake AV).PPI providers allow clients to choose the geographic distribution of target hosts. This distinction creates price differentiation in the market due to varying demand for machines in certain regions and varying target host supply. Clients pay only per unique install, i.e., for one installation of their program on a given target host.
PPI providers.
PPI providers profit from installation fees paid by the clients. PPI install rates vary from $100–$180 for a thousand unique installs in the most demanded regions (often the US and the UK, and more recently other European nations), down to $7–$8 in the least popular ones (predominantly Asia). In this study, we observe PPI providers installing multiple client programs on the same target host, and have not observed attempts to secure exclusive use of a target host on behalf of a client. Exclusivity of a host is difficult to guarantee because a PPI provider cannot generally know whether a target host already runs other malware (e.g.,a rival PPI downloader that installs competitors of the client program). In addition, it is very difficult for clients to validate that the PPI service only installed their malware on a host.
Affiliate PPI services give their affiliates a PPI downloader program personalized with their unique affiliate identifier. The service credits affiliates for executing their specific PPI downloader on a target host. Affiliates only receive credit for confirmed installs of their PPI downloader. The confirmation takes the form of the PPI downloader sending the personalized affiliate identifier to the PPI provider after downloading and executing the client programs. Thus, affiliates receive credit only after delivering the installs.
Affiliates.
Affiliates profit from the installs performed on behalf of the PPI provider, with the distribution method remaining transparent to the clients. Affiliates might in fact be botmasters that compromise hosts, install their own malware, and then task their malware with downloading and installing the PPI downloaders as one means for monetizing their botnet. When doing so, the botmaster relinquishes exclusive control of the hosts in exchange for the install payments from the PPI service. The same botmasters might work with multiple PPI providers simultaneously to maximize the income from each bot, installing multiple affiliate binaries on each of their hosts. Indeed, the market has a somewhat fundamental conflict-of-interest, in that the more installs a botmaster/ affiliate provides, the more payment they receive; but each install degrades the quality of previous installs, because the likelihood of the owner of the system discerning they have become infected, and remedying the situation, rises with the volume of malicious installs on the system.
Evading Detection of PPI by Antivirus
AV software may detect and block any program in the installation chain, making it difficult to sustain installs. Therefore, providing stealthy executables is a key objective for both PPI providers and clients. In the PPI ecosystem, clients are often in charge of making their programs stealthy before giving them to the PPI provider, while affiliates rely upon the PPI provider to provide them with a stealthy downloader.
To render programs stealthy, both PPI providers and clients employ packer programs sold by third parties . Packers change the program content so that its signature (e.g., MD5 hash) differs even though the program’s functionality has not changed. Sophisticated packers may also change the program size and add detection
techniques for debuggers and virtual machines, which are commonly used by analysts. PPI providers have responsibility for packing the PPI downloaders for each affiliate and testing that the resulting executable remains undetected by AV software. In addition, PPI providers instruct affiliates and clients not to test their programs on free malware scanners , because these services often redistribute samples to AV vendors. The vendors may then add new signatures to their databases, thus uncloaking the programs.