Measuring Pay-per-Install: The Commoditization of Malware Distribution
In the underground world of malware, market players have emerged to provide specific services at the different stages of an infection’s lifecycle. At the heart of malware distribution and monetization is the access to and infection of personal computers. Entrepreneurial hackers are offering access for a price (from $7 to $180 per thousand infections) and make up an informal underground Pay-Per-Install (PPI) industry.
A 2011 study by the University of California, Berkeley and the Madrid Institute for Advanced Studies in Software Development Technologies, “Measuring Pay-per-Install: The Commoditization of Malware Distribution” (PDF), used an infrastructure they developed in order to interact with PPI services and gather and analyze more than a million client executables — the package the virus comes in — from across 15 countries to truly measure the impact of PPI services.
Highlights of the study include:
- Overall, more than 57 malware “families” were identified, including spam bots, fake antivirus programs, information-stealing trojans, denial-of-service bots and adware.
- In an analysis of 313,791 binaries, the study was able to identify and learn from 12 of the 20 most prevalent families of malware.
- To avoid detection by anti-virus software, malware distributed by PPI services is on average repacked every 11 days, with one observed family of malware repacking up to twice a day.
- Although most common families of malware targeted both Europe and the United States, there were some families with a single-country focus and some families with no geographic bias.
- In terms of cost per thousand infections, the United States and Great Britain were at the high end ($100 to $180), other European countries at $20 to $160, and the rest of the world below $10.
For the authors, the study underlines the importance of PPI services in the malware universe. “As defenders, we need to understand and appreciate the threat posed by the ‘silent installs’ industry,” the authors state. “Even if defenders can completely clean up a botnet … the botmaster could return to business-as-usual through modest payments to one or more PPI services.”
Tags: technology, crime, consumer affairs, telecommunications
Note to instructor: The suggested assignments are designed for flexibility. They can be used in whole or part and can be adapted to a particular task -- for example, the newswriting assignments could be applied to the writing of the headline, the lead, the nut graph or the full story. Material from the assignments could also be combined with other material, for example, in the writing of a background, feature or local-angle story.
Read the study titled "Measuring Pay-per-Install: The Commoditization of Malware Distribution" (PDF).
- Summarize the study in fewer than 40 words.
- Express the study's key term(s) in language a lay audience can understand.
- Evaluate the study's limitations. (For example: Do the results conflict with those of other reliable studies? Are there weaknesses in the study's data or research design?)
Read the study-related Technology Review article titled "Most Malware Tied to 'Pay-Per-Install' Market."
- Reporter's use of the study: Evaluate what the reporter chose to include and exclude from the study. Would the audience have acquired a clear understanding of the study's findings and limits from this article?
- Reporter's use of other material: Assess the material in the article that is not derived from the study. (for example: Does the reporter place the study in the context of other research and to what effect? Does the reporter include reactions to the study from other researchers or interested parties [e.g., political groups business leaders, or community members] and are their credentials or possible biases made clear?)
- Write a lead (or headline or nut graph) based on the study.
- Spend 60 minutes exploring the issue by accessing sources of information other than the study. Write a lead (or headline or nut graph) based on the study but informed by the new information. Does the new information significantly change what one would write based on the study alone?
- Interview two sources with a stake in or knowledge of the issue. Be prepared to provide them with a short summary of the study in order to get their response to it. Write a 400-word article about the study incorporating material from the interviews.
- Spend additional time exploring the issue and then write a 1,200-word background article, focusing on major aspects of the issue.