Publication Details
Title: Measuring Pay-per-Install: The Commoditization of Malware Distribution
Author: J. Cabellero, C. Grier, C. Kreibich, and V. Paxson
Bibliographic Information: Proceedings of the 20th USENIX Security Symposium (Security '11), San Francisco, California
Date: August 2011
Research Area: Networking and Security
Type: Article in conference proceedings
PDF: http://www.icsi.berkeley.edu/pubs/networking/measuringpay11.pdf
Overview:
Recent years have seen extensive diversification of the “underground economy” associated with malware and the subversion of Internet-connected systems. This trend toward specialization has compelling forces driving it: miscreants readily apprehend that tackling the entire value-chain from malware creation to monetization in the presence of ever-evolving countermeasures poses a daunting task requiring highly developed skills and resources. As a result, entrepreneurial-minded miscreants have formed pay-per-install (PPI) services—specialized organizations that focus on the infection of victims’ systems. In this work we perform a measurement study of the PPI market by infiltrating four PPI services. We develop infrastructure that enables us to interact with PPI services and gather and classify the resulting malware executables distributed by the services. Using our infrastructure, we harvested over a million client executables using vantage points spread across 15 countries. We find that of the world’s top 20 most prevalent families of malware, 12 employ PPI services to buy infections. In addition we analyze the targeting of specific countries by PPI clients, the repacking of executables to evade detection, and the duration of malware distribution.
Acknowledgements:
This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS:0433702 (“Center for Internet Epidemiology and Defenses”); CNS:0905631 ("Invigorating Empirical Network Research via Mediated Trace Analysis"); and CNS:0831535 ("Comprehensive Applications Analysis and Control"), and by the Office of Naval Research. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation or the Office of Naval Research.
Bibliographic Reference:
J. Cabellero, C. Grier, C. Kreibich, and V. Paxson. Measuring Pay-per-Install: The Commoditization of Malware Distribution. Proceedings of the 20th USENIX Security Symposium (Security '11), San Francisco, California, August 2011
Author: J. Cabellero, C. Grier, C. Kreibich, and V. Paxson
Bibliographic Information: Proceedings of the 20th USENIX Security Symposium (Security '11), San Francisco, California
Date: August 2011
Research Area: Networking and Security
Type: Article in conference proceedings
PDF: http://www.icsi.berkeley.edu/pubs/networking/measuringpay11.pdf
Overview:
Recent years have seen extensive diversification of the “underground economy” associated with malware and the subversion of Internet-connected systems. This trend toward specialization has compelling forces driving it: miscreants readily apprehend that tackling the entire value-chain from malware creation to monetization in the presence of ever-evolving countermeasures poses a daunting task requiring highly developed skills and resources. As a result, entrepreneurial-minded miscreants have formed pay-per-install (PPI) services—specialized organizations that focus on the infection of victims’ systems. In this work we perform a measurement study of the PPI market by infiltrating four PPI services. We develop infrastructure that enables us to interact with PPI services and gather and classify the resulting malware executables distributed by the services. Using our infrastructure, we harvested over a million client executables using vantage points spread across 15 countries. We find that of the world’s top 20 most prevalent families of malware, 12 employ PPI services to buy infections. In addition we analyze the targeting of specific countries by PPI clients, the repacking of executables to evade detection, and the duration of malware distribution.
Acknowledgements:
This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS:0433702 (“Center for Internet Epidemiology and Defenses”); CNS:0905631 ("Invigorating Empirical Network Research via Mediated Trace Analysis"); and CNS:0831535 ("Comprehensive Applications Analysis and Control"), and by the Office of Naval Research. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation or the Office of Naval Research.
Bibliographic Reference:
J. Cabellero, C. Grier, C. Kreibich, and V. Paxson. Measuring Pay-per-Install: The Commoditization of Malware Distribution. Proceedings of the 20th USENIX Security Symposium (Security '11), San Francisco, California, August 2011