June 9, 2011

New research suggests that the majority of personal computers infected with malicious software may have arrived at that state thanks to a bustling underground market that matches criminal gangs who pay for malware installs with enterprising hackers looking to sell access to compromised PCs.

One of the PPI programs profiled in the study.

Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims.

The PPI services also attract entrepreneurial malware distributors, or “affiliates,” hackers who are tasked with figuring out how to install the malware on victims’ machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install.

In August 2010, researchers at the University of California, Berkeley, and the Madrid Institute for Advanced Studies in Software Development Technologies infiltrated four competing PPI services by surreptitiously hijacking multiple affiliate accounts. They built an automated system to regularly download the installers being pushed by the different PPI services.

The snippet above is the introduction to a story I wrote for MIT Tech Review. Read the whole piece at this link.

Ads for Monocash, a 3-year-old PPI program that distributes the Zlob malware

12 thoughts on “Pay-Per-Install a Major Source of Badness

    1. BrianKrebs Post author

      Hrm. That looks a lot more alarming than it should, IMHO.

      It just means that while you are accessing my site via https://, some elements are not loading in https, such as the ads on my site. you can load the same page via http:// and you won’t see that warning.

    2. BrianKrebs Post author

      Marie — Due to a temporary change on the server side, incoming requests for krebsonsecurity.com were momentarily transferred over to https:// connections. That should no longer be the case.

  1. Paul Hunt

    So thinking about this for a minute, is there any evidence that these folks might also be trying to inflitrate or compromise the various services that offer to set up (remove trialware, install other software) new PCs for novice users?

  2. a problem with spam?

    youve also missed out ad jacking aswell

    there are some ppi companies which hijack the ads on webpages and replace them with their own, the installer then gets a share of the profits that are made from the victim clicking the ads.

    never been a great fan of ppi myself. a few of them go onto sell the installs themselves which are usally already full of crap anyway.

    what do you make of gangsta bucks, iv seen them advertise on a few forums and they dont really look all that appealing to be honest.

  3. kbbbb

    I agree Brian, the current strategy to fight botnets isn’t working, and won’t work in the long run. I can’t propose anything better, though.

  4. Fred

    Gangsta bucks, the site you have mentioned in the blog post doesn’t seems to exist or i might not tried rigorously on Google to get its actual U.R.L.

    1. Hub


      Gangstabucks was closed some time ago, it has been kind of the only PPI Site that was publicy available (everyone could get in) now it’s all a bit back more to private.

      I can give you a list of some “Private” PPI providers, if you would like to take a look at some.

  5. Charles Smith

    If banks required you to type in a code text messaged to your mobile phone upon login (much like Chase does), and then again upon any sort of transfer or action that involves moving money around, wouldn’t that stop this sort of crime?


    Where / how do you find that 7 bucks for install on 1000 computers? As a security person I am very curious.


Comments are closed.