Expert Commentary

Measuring pay-per-install: The commoditization of malware distribution

2011 study by U.C. Berkeley, and the Madrid Institute for Advanced Studies in Software Development Technologies on the techniques of malware distributors.

In the underground world of malware, market players have emerged to provide specific services at the different stages of an infection’s lifecycle. At the heart of malware distribution and monetization is the access to and infection of personal computers. Entrepreneurial hackers are offering access for a price (from $7 to $180 per thousand infections) and make up an informal underground Pay-Per-Install (PPI) industry.

A 2011 study by the University of California, Berkeley and the Madrid Institute for Advanced Studies in Software Development Technologies, “Measuring Pay-per-Install: The Commoditization of Malware Distribution,” used an infrastructure they developed in order to interact with PPI services and gather and analyze more than a million client executables — the package the virus comes in — from across 15 countries to truly measure the impact of PPI services.

Highlights of the study include:

  • Overall, more than 57 malware “families” were identified, including spam bots, fake antivirus programs, information-stealing trojans, denial-of-service bots and adware.
  • In an analysis of 313,791 binaries, the study was able to identify and learn from 12 of the 20 most prevalent families of malware.
  • To avoid detection by anti-virus software, malware distributed by PPI services is on average repacked every 11 days, with one observed family of malware repacking up to twice a day.
  • Although most common families of malware targeted both Europe and the United States, there were some families with a single-country focus and some families with no geographic bias.
  • In terms of cost per thousand infections, the United States and Great Britain were at the high end ($100 to $180), other European countries at $20 to $160, and the rest of the world below $10.

For the authors, the study underlines the importance of PPI services in the malware universe. “As defenders, we need to understand and appreciate the threat posed by the ‘silent installs’ industry,” the authors state. “Even if defenders can completely clean up a botnet … the botmaster could return to business-as-usual through modest payments to one or more PPI services.”

Tags: technology, crime, consumer affairs, telecommunications

About The Author