Inside The Booming Botnet Industry

Going rate for infecting 1,000 unique PCs? Up to $180 in the United States, or $7 or $8 in Asia. The pay-per-install malware business thrives.

When running a botnet, attrition is constant, as security software on PCs finds and eliminates the malicious code that turned the PC into a botnet node. Accordingly, many botmasters outsource infections to whats known as pay-per-install (PPI) service providers. Going rates for infecting 1,000 unique PCs with malware range from up to $180 in the United States and Great Britain, from $20 to $160 for other parts of Europe, down to just $7 or $8 in parts of Asia.
Those findings come from a study presented at Augusts
USENIX Security Symposium
in San Francisco. The investigation into the commoditization of malware distribution was conducted by security researchers at IMDEA (the Madrid Institute for Advanced Studies), the International Computer Science Institute, and the University of California, Berkeley.
Multiple security researchers have
infiltrated black market forums
and recorded PPI pricing. Others have conducted a top-down analysis of the PPI industry by becoming affiliates of services. But for this new study, the researchers said they were the first to take a bottom-up approach, studying the PPI ecosystem as seen from the perspective of the downloads pushed out by PPI services down to their victims.
Their research, conducted from August 2010 to February 2011, started by infiltrating four PPI services--LoaderAdv, GoldInstall, Virut, and Zlob--and gathering the malware executables they distributed to their affiliates, which infect PCs for the PPI provider. Along the way, the researchers said they harvested over a million client executables using vantage points spread across 15 countries. Based on a study of 313,791 binary files captured in a one-month period, they found that 12 of the worlds 20 most prevalent malware families rely on the PPI industry for distribution.
The researchers also found clear distinctions between the PPI industry--which uses silent installs to gain access to PCs, install a downloader, and push malicious applications--and botmasters, who use the malware to control the PC via command-and-control (C&C) servers. (Some botmasters, however, also serve as PPI affiliates.)
Interestingly, PPI providers repack--as in, recompile--their downloaders on average every 11 days, although one service did it twice per day. Repacking generates a new piece of software, which helps the downloader software evade signature-based security defenses, at least until the security vendor spots the new malware and creates a new MD5 hash signature for its detection engine.
Some PPI providers, such as Zlob, also offer a Web service that allows affiliates to repack downloaders on demand. According to the researchers, we requested the downloader for a single affiliate 27 consecutive times, resulting in 27 distinct, working Zlob binaries with identical sizes but differing MD5 hashes.
What happens after a unique PC has been infected and pressed into botnet service? Botmasters might push new malware. They might also activate or download keystroke loggers that
harvest sensitive data
, including bank account numbers and passwords, from the infected PC. Likewise, the infected computer can be turned into a
spam relay
, or used to
launch distributed denial-of-service attacks
against targeted websites.
While many anti-botnet efforts to date have focused on
taking down botnets
and
arresting botmasters
, the researchers suggested also targeting the PPI service industry, since it provides a quick restart option for anyone whose botnet gets busted.
Even if defenders can completely clean up a botnet (as opposed to merely severing its C&C master servers), the botmaster could return to business-as-usual through modest payments to one or more PPI services, said the researchers. Given that multiple malware authors share use of the same PPI services, and that the number of PPI services seems to be significantly smaller than the number of malware families, PPI services are good targets for future takedown efforts.
The new research comes with a cost. Namely, expect the PPI industry to attempt to block similar studies in the future. In particular, we expect PPI services to harden their C&C protocols with more robust use of cryptographic techniques and incorporation of anti-virtualization and triggering mechanisms to increasingly hamper dynamic analysis, said the researchers.
Security professionals often view compliance as a burden, but it doesnt have to be that way. In this report, we show the security team how to partner with the compliance pros.
Download the report here
. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Inside The Booming Botnet Industry