More Web Proxy on the site http://driver.im/

Article

Measuring pay-per-install: the commoditization of malware distribution

Authors:

Juan Caballero,

Christian Kreibich,

Vern PaxsonAuthors Info & Claims

SEC'11: Proceedings of the 20th USENIX conference on Security

Page 13

Published: 08 August 2011 Publication History

Abstract

Recent years have seen extensive diversification of the "underground economy" associated with malware and the subversion of Internet-connected systems. This trend towards specialization has compelling forces driving it: miscreants readily apprehend that tackling the entire value-chain from malware creation to monetization in the presence of ever-evolving countermeasures poses a daunting task requiring highly developed skills and resources. As a result, entrepreneurial-minded miscreants have formed pay-per-install (PPI) services--specialized organizations that focus on the infection of victims' systems.

In this work we perform a measurement study of the PPI market by infiltrating four PPI services. We develop infrastructure that enables us to interact with PPI services and gather and classify the resulting malware executables distributed by the services. Using our infrastructure, we harvested over a million client executables using vantage points spread across 15 countries. We find that of the world's top 20 most prevalent families of malware, 12 employ PPI services to buy infections. In addition we analyze the targeting of specific countries by PPI clients, the repacking of executables to evade detection, and the duration of malware distribution.

References

[1]

Anubis: Analyzing Unknown Binaries. http:// anubis.iseclab.org/. Accessed on June 2011.

[2]

Ulrich Bayer, Christopher Kruegel, and Engin Kirda. TTAnalyze: A Tool for Analyzing Malware. In European Institute for Computer Antivirus Research Annual Conference, April 2006.

[3]

H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang. On the Analysis of the Zeus Botnet Crimeware Toolkit. In International Conference on Privacy, Security and Trust, August 2010.

[4]

AS-Troyak Exposes a Large Cybercrime Infrastructure, March 2010. http://blogs.rsa.com/ rsafarl/as-troyak-exposes-a-large-cybercrime-infrastructure/.

[5]

J. Caballero, N. M. Johnson, S. McCamant, and D. Song. Binary code extraction and interface identification for security applications. In Proceedings of the Network and Distributed System Security Symposium, February 2010.

[6]

C. Y. Cho, J. Caballero, C. Grier, V. Paxson, and D. Song. Insights from the Inside: A View of Botnet Management from Infiltration. In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, April 2010.

Digital Library

[7]

N. Doshi, A. Athalye, and E. Chien. Pay-Per-Install: The New Malware Distribution Network, April 2010. http://www.symantec.com/ content/en/us/enterprise/media/ security response/whitepapers/ pay_per_install.pdf.

[8]

H. Dreger, A. Feldmann, M. Mai, V. Paxson, and R. Sommer. Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection. In Proceedings of the USENIX Security Symposium, April 2006.

Digital Library

[9]

Amazon Elastic Compute Cloud. http:// aws.amazon.com/ec2/. Accessed on June 2011.

[10]

J. Franklin, V. Paxson, A. Perrig, and S. Savage. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In Proceedings of ACM Conference on Computer and Communications Security, October 2007.

Digital Library

[11]

G. Gu, R. Perdisci, J. Zhang, and W. Lee. Bot-Miner: Clustering Analysis of Network Traffic for Protocol and Structure Independent Botnet Detection. In Proceedings of the 17th USENIX Security Symposium, July 2008.

Digital Library

[12]

InstallsDealer. http://installsdealer.com/. Accessed on June 2011.

[13]

InstallsForYou. http:// installsforyou.biz/. Accessed on June 2011.

[14]

Internet archive. http://www.archive.org/. Accessed on June 2011.

[15]

B. Koehl and J. Mieres. SpyEye Bot (Part two) Conversations with the Creator of Crimeware, February 2010. http://www.malwareint.com/ docs/spyeye-analysis-ii-en.pdf.

[16]

C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. Inspector GAdget: Automated Extraction of Proprietary Gadgets from Malware Binaries. In Proceedings of the IEEE Symposium on Security and Privacy, May 2010.

Digital Library

[17]

C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G.M. Voelker, V. Paxson, and S. Savage. Spamcraft: An inside look at spam campaign orchestration. In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2009.

Digital Library

[18]

Christian Kreibich, Nicholas Weaver, Chris Kanich, Weidong Cui, and Vern Paxson. GQ: Practical Containment for Measuring Modern Malware Systems. Technical Report TR-11-002, International Computer Science Institute, May 2011.

Digital Library

[19]

LoadsSell. http://loadssell.net/. Accessed on June 2011.

[20]

MaxMind. Resources for Developers. http:// www.maxmind.com/app/api. Accessed on June 2011.

[21]

J. Mieres. Russian prices of crimeware, March 2009. http://evilfingers.blogspot.com/ 2009/03/russian-prices-of-crimware.html.

[22]

A. Mushtaq. World's Top Malware, July 2010. http://blog.fireeye.com/research/ 2010/07/worlds_top_modern_malware.html.

[23]

J. Oberheide, M. Bailey, and F. Jahanian. Poly-Pack: An Automated Online Packing Service for Optimal Antivirus Evasion. In Proceedings of the 3rd USENIX conference on Offensive technologies, August 2009.

Digital Library

[24]

V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31:2435- 2463, December 1999.

Digital Library

[25]

R. Perdisci, W. Lee, and N. Feamster. Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. In Proceedings of the 7th USENIX conference on Networked Systems Design and Implementation, April 2010.

Digital Library

[26]

D. Plonka and P. Barford. Context-Aware Clustering of DNS Query Traffic. In Proceedings of the 8th ACM SIGCOMM conference on Internet Measurement, October 2008.

Digital Library

[27]

Best Pay-Per-Install Affiliate Program Reviews. http://pay-per-install.com. Accessed on June 2011.

[28]

Pay-Per-Install Programs. https://www.pay-per-install.org/. Accessed on June 2011.

[29]

K. Stevens. The Underground Economy of the Pay-Per-Install PPI Business, February 2010. Black Hat DC, Arlington, VA.

[30]

ThreatExpert - Automated Threat Analysis. http://www.threatexpert.com/. Accessed on June 2011.

[31]

The Tor Project. http:// www.torproject.org/. Accessed on June 2011.

[32]

Virustotal - Free Online Virus, Malware and URL Scanner. http://www.virustotal.com/. Accessed on June 2011.

[33]

ZeuS Tracker. https:// zeustracker.abuse.ch/. Accessed on June 2011.

Cited By

Dambra SBilge LBalzarotti D(2023)A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise EnvironmentsACM Transactions on Privacy and Security10.1145/356536226:2(1-30)Online publication date: 12-Apr-2023
https://dl.acm.org/doi/10.1145/3565362
Pirch LWarnecke AWressnegger CRieck K(2021)TagVetProceedings of the 14th European Workshop on Systems Security10.1145/3447852.3458719(34-40)Online publication date: 26-Apr-2021
https://dl.acm.org/doi/10.1145/3447852.3458719
Botacin MAghakhani HOrtolani SKruegel CVigna GOliveira DGeus PGrégio A(2021)One Size Does Not Fit AllACM Transactions on Privacy and Security10.1145/342974124:2(1-31)Online publication date: 21-Jan-2021
https://dl.acm.org/doi/10.1145/3429741
Show More Cited By

Recommendations

Measuring pup prevalence and pup distribution through pay-per-install services
SEC'16: Proceedings of the 25th USENIX Conference on Security Symposium

Potentially unwanted programs (PUP) such as adware and rogueware, while not outright malicious, exhibit intrusive behavior that generates user complaints and makes security vendors flag them as undesirable. PUP has been little studied in the research ...
Investigating commercial pay-per-install and the distribution of unwanted software
SEC'16: Proceedings of the 25th USENIX Conference on Security Symposium

In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, ...
Ransomware: To Pay or Not to Pay? The results of what IT professionals recommend
ICSIM '22: Proceedings of the 2022 5th International Conference on Software Engineering and Information Management

The number of ransomware attacks has been on the rise. Ransomware is a malware attack in which the cybercriminal encrypts a file or a device and then demands a payment from the victim. There are many different variants of ransomware, and they continue ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'11: Proceedings of the 20th USENIX conference on Security

August 2011

35 pages

Program Chair:
David Wagner
University of California, Berkeley

Sponsors

NSF: National Science Foundation
Google Inc.
IBMR: IBM Research
Microsoft Research: Microsoft Research
RSA: The Security Division of EMC

Publisher

USENIX Association

United States

Publication History

Published: 08 August 2011

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

58
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dambra SBilge LBalzarotti D(2023)A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise EnvironmentsACM Transactions on Privacy and Security10.1145/356536226:2(1-30)Online publication date: 12-Apr-2023
https://dl.acm.org/doi/10.1145/3565362
Pirch LWarnecke AWressnegger CRieck K(2021)TagVetProceedings of the 14th European Workshop on Systems Security10.1145/3447852.3458719(34-40)Online publication date: 26-Apr-2021
https://dl.acm.org/doi/10.1145/3447852.3458719
Botacin MAghakhani HOrtolani SKruegel CVigna GOliveira DGeus PGrégio A(2021)One Size Does Not Fit AllACM Transactions on Privacy and Security10.1145/342974124:2(1-31)Online publication date: 21-Jan-2021
https://dl.acm.org/doi/10.1145/3429741
Farooqi SFeal ÁLauinger TMcCoy DShafiq ZVallina-Rodriguez N(2020)Understanding Incentivized Mobile App Installs on Google Play StoreProceedings of the ACM Internet Measurement Conference10.1145/3419394.3423662(696-709)Online publication date: 27-Oct-2020
https://dl.acm.org/doi/10.1145/3419394.3423662
Simoiu CZand AThomas KBursztein E(2020)Who is targeted by email-based phishing and malware?Proceedings of the ACM Internet Measurement Conference10.1145/3419394.3423617(567-576)Online publication date: 27-Oct-2020
https://dl.acm.org/doi/10.1145/3419394.3423617
Campobasso MAllodi LLigatti JOu XKatz JVigna G(2020)Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at ScaleProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417892(1665-1680)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417892
Ife CShen YMurdoch SStringhini GGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)Waves of MaliceProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329807(168-180)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329807
Kharraz AMa ZMurley PLever CMason JMiller ABorisov NAntonakakis MBailey M(2019)Outguard: Detecting In-Browser Covert Cryptocurrency Mining in the WildThe World Wide Web Conference10.1145/3308558.3313665(840-852)Online publication date: 13-May-2019
https://dl.acm.org/doi/10.1145/3308558.3313665
Wuchner TCislak AOchoa MPretschner A(2019)Leveraging Compression-Based Graph Mining for Behavior-Based Malware DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.267588116:1(99-112)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1109/TDSC.2017.2675881
Huang KSiegel MMadnick S(2018)Systematically Understanding the Cyber Attack BusinessACM Computing Surveys10.1145/319967451:4(1-36)Online publication date: 6-Jul-2018
https://dl.acm.org/doi/10.1145/3199674
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents