The PPI business has seen significant and malicious changes over the years. It has gone from having victims unknowingly download and install adware to having them download and install spyware and malware. While some PPI sites are still distributing adware, the majority push malware and spyware to unsuspecting users. These PPI sites create an underground economy that profits from installing malware. This economy is so widespread that there is even a side business selling programs to make it more difficult for computer users to detect that they are installing something malicious.
We will first look at www. This site hosts a forum where affiliates come together to discuss the PPI business and how to make money. This site is used for a variety of reasons:. Many affiliates of the different PPI sites have various methods and tools they use to maximize the effectiveness of their malware-packed download. One suggested method is the use of peer-to-peer P2P networks.
Most affiliates access BitTorrent and download a legitimate program or game crack, bind the malicious file with the legitimate program that they downloaded, upload the bundled file to the torrent sites and advertise that file as the original non-modified file. The goal is to have computer users download the malicious bundled file and execute it, thinking that they are actually installing a useful program and not malware.
One challenge affiliates encounter is that they must perform hundreds to thousands of installs to receive any significant income, which is why sites like www. To address this challenge, many affiliates use a seedbox, or a private dedicated server used for the uploading and downloading of digital files.
Affiliates use a seedbox to rapidly spread their malware-infected files using BitTorrent and eMule, avoiding the need to host the files on their computer. This can be a labor intensive process because once a P2P site discovers the malware in the uploaded affiliate file, that file is deleted or gets banned from the P2P network. Many affiliates take precautions to avoid this scenario by using special tools such as crypters to hide their files. One type of program that www. Crypters are programs that hide malicious files from anti-virus AV solutions intended to protect your computer.
Crypters are used to make a malicious file fully undetectable FUD. Making files FUD is a money-making business in the world of malware. For example, the crypter on www. Affiliates usually receive free upgrades when the author updates the crypter. The stub is the code that decrypts the rest of the program when it is executed.
Because the stub must be available to perform the decryption, it can't be encrypted and is eventually identified by AV programs as malicious. To avoid this situation from occurring, crypters are sold with several stubs, with more available for an additional price. PXCrypter has been written to work with many PPI affiliate files, has many features to avoid detection by AV software and prevents a malicious file from running in a sandbox.
Sandboxes are often used by security researchers to create a virtual environment where malicious programs can run and be observed without causing damage to the computer or its operating system. Sandboxing is a good way to determine malware behavior and design effective protection techniques and countermeasures. Another type of tool used by affiliates is a Trojan Download Manager.
The www. It is at version 3 and includes:. Since the initial CTU writeup of SDdownloader in June , the author of this program has joined forces with another programmer to offer multiple products through their company. The products they offer include software that can pop up advertisements on infected computers, manage infected computers similar to the features in SDdownloader, a Gmail account harvester, a binder, and a low-tech version of SDdownloader.
They refer to themselves as internet marketing tool developers. A scammer who doesn't want to use P2P but wants traffic directed to their site that hosts malicious files can use black hat SEO techniques. Black hat SEO increases the volume of traffic to a web site by manipulating search engines. Attackers use tools such as XRumer to perform these tasks. XRumer is an auto-submitter program that posts messages to forums, guestbooks, bulletin boards and catalogs. Another method used by attackers to increase traffic so more victims will visit their site and download malicious files is the use of a doorway or doorway pages.
The doorway is simply a web page that may list many keywords in an attempt to increase the search engine ranking. This doorway page will not contain any malicious files to download, so it will not be removed from search engines or blacklisted. When it was doing business as InstallsCash, this site claimed to count affiliate installations in realtime and claimed that it was not shaving its affiliate's install counts. InstallsCash only pays in increments of installs.
InstallsCash claims that the dialer launches 15 to 30 minutes after the initial execution. Downloader Trojans are used to download and install other pieces of malware. The downloader uses the Internet to contact a control server and request a file to download, usually via HTTP to avoid detection.
The infected computer will then start communicating with another Russian server at nxxx. The infected computer will download another piece of malware detected as Koobface from The infected computer performs another phone home operation to wnxxx. The infected computer phones home once again to a Chinese server at When CTU downloaded and installed a new version of the InstallsCash file weeks after the initial investigation in June , the list of downloaded malware had changed.
The Rustock Trojan sends spam and phoned home to a server in the United States. Piptea also downloaded approximately 10 additional malware and spyware programs. The InstallsCash file download sequence seems to change based on who they are currently doing business with, which could mean InstallsCash is paid by one or more business partners. Based on the affiliate codes embedded in the download URLs for Opera, it appears that Opera directly interacts with PPI operators to purchase installs rather than relying on intermediate affiliates.
The other three programs all operate affiliate programs, yielding a similar distribution pattern to that of anti-virus, though we cannot rule out direct relationships with commercial PPI. Adware and Pay-Per-Install software deals rake in big money.
Please Share. There are some big names involved too: We observe a small number of major software brands including Opera, Skype, and browser toolbars distributed via PPI. Related Posts. About The Author Tetley.
0コメント