Measuring*Pay-Per-Install:** - - PowerPoint PPT Presentation

measuring pay per install the commodi8za8on of malware
SMART_READER_LITE
LIVE PREVIEW

Measuring*Pay-Per-Install:** - - PowerPoint PPT Presentation

Sep 10, 2023 334 likes •625 views

Measuring*Pay-Per-Install:** The*Commodi8za8on*of*Malware*Distribu8on* Juan*Caballero,* Chris&Grier ,** Chris8an*Kreibich*and*Vern*Paxson* * IMDEA*SoGware*Ins8tute,*UC*Berkeley,** Interna8onal*Computer*Science*Ins8tute* 2* 3* 4*

slide-1
SLIDE 1

Measuring*Pay-Per-Install:** The*Commodi8za8on*of*Malware*Distribu8on*

Juan*Caballero,*Chris&Grier,** Chris8an*Kreibich*and*Vern*Paxson* * IMDEA*SoGware*Ins8tute,*UC*Berkeley,** Interna8onal*Computer*Science*Ins8tute*

slide-2
SLIDE 2

2*

slide-3
SLIDE 3

3*

slide-4
SLIDE 4

4*

slide-5
SLIDE 5

Market*for*Malware*Installa8on*

  • Goal:&Measure&and&understand&the&the&pay4per4install&

ecosystem*

  • Our*approach:*

– Infiltrate*four*PPI*programs* – Develop*“milkers”*to*automa8cally*download*malware* – Download,*execute,*and*classify*malware*being*installed*

  • Insights*into*the*pay-per-install*business*

– Real-8me*monitoring*of*changes*in*malware*ecosystem* – Types*of*clients*using*PPI* – Financial*impacts*of*botnet*takedown*

5*

slide-6
SLIDE 6

Outline*

  • Background*on*pay-per-install*
  • Infiltra8on*and*monitoring*of*PPI*
  • Results*and*measurements*

– Malware*being*installed*by*PPI* – Repacking*of*malware* – Geographically*diverse*distribu8on*

6*

slide-7
SLIDE 7

PPI*Ecosystem*

  • Clients*

– Pay*the*PPI* – Want*malware*installed* – Spambots,*informa8on* harves8ng,*rootkits,*fake*AV*

  • Pay-per-install*(PPI)*

– Purchases*compromised* hosts*from*affiliates* – Resells*to*clients*

  • Affiliates*

– Compromise*machines* – Execute*the*PPI’s*binary*

7*

slide-8
SLIDE 8

PPI*Ecosystem*

  • Clients*

– Pay*the*PPI* – Want*malware*installed* – Spambots,*informa8on* harves8ng,*rootkits,*fake*AV*

  • Pay-per-install*(PPI)*

– Purchases*compromised* hosts*from*affiliates* – Resells*to*clients*

  • Affiliates*

– Compromise*machines* – Execute*the*PPI’s*binary*

8*

slide-9
SLIDE 9

PPI*Ecosystem*

  • Clients*

– Pay*the*PPI* – Want*malware*installed* – Spambots,*informa8on* harves8ng,*rootkits,*fake*AV*

  • Pay-per-install*(PPI)*

– Purchases*compromised* hosts*from*affiliates* – Resells*to*clients*

  • Affiliates*

– Compromise*machines* – Execute*the*PPI’s*binary*

9*

slide-10
SLIDE 10

10*

PPI&exe& Rustock4dl& PPI&exe& PPI&exe& Rustock& PPI&exe& Pushdo& Torpig& Pinit& Ambler& Zbot&

Dropper*Lifecycle*

Cutwail& Malware&exe& PPI&related&exe&

12&binaries&downloaded&& Total&Time:&<5&minutes&

slide-11
SLIDE 11

PPI&InfiltraGon&and&Monitoring&

11*

slide-12
SLIDE 12

Infiltra8on*Summary*

  • 12*of*the*20*most*popular*families*of*malware*

distributed*by*PPI*services*

  • Infiltrated*four*PPI*command*and*control*networks*

– Con8nual*monitoring*of*C&C* – Download*new*binaries* – Download*from*geo-diverse*loca8ons*

  • Dropped*Malware*

– 1,060,895*client*binaries*downloaded* – 9,153*dis8nct*binaries*

12*

World’s(Top(Malware,*FireEye,*July*2010.** hfp://blog.fireeye.com/research/2010/07/worlds_top_modern_malware.html**

slide-13
SLIDE 13

PPI*Milking*System*

13*

slide-14
SLIDE 14

Milking*PPI*Services*

14*

slide-15
SLIDE 15

Running*Malware*

15*

GQ:&PracGcal&Containment&for&Measuring&Modern&Malware&Systems& C.*Kreibich,*N.*Weaver,*C.*Kanich,*W.*Cui,*V.*Paxson.*IMC*2011.*

slide-16
SLIDE 16

Classifying*Malware*

16*

slide-17
SLIDE 17

Malware*Family*Coverage*

17*

12*/*20*Being*dropped* by*PPI!*

slide-18
SLIDE 18

Most*Seen*Families:*Aug*2010*

18*

slide-19
SLIDE 19

Binary*Repacking*

  • Repacking*or*cryp8ng*

– Changes*program*content*without*changing*func8onality* – Frequency*reflects*concern*about*AV*signatures*

*

  • PPI*client*binaries*

– Depends*on*family*of*malware* – Average*repacking*every*11*days*

  • PPI*affiliate*binaries*

– Repacking*done*by*PPI,*usually*daily* – Zlob*repacking*done*on-the-fly*

19*

slide-20
SLIDE 20

20*

MD5s*by*date*for*August,*2010*for*two*families*of*malware.*

Date MD5

2 4 6 8 10 12 14

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

08/02 08/04 08/06 08/08 08/10 08/12 08/14 08/16 08/18 08/20 08/22 08/24 08/26 08/28 08/30 09/01 VM Detection

Date MD5

20 40 60 80 100 120 140

||| || | | |||||| | | | | | | | | | | | ||| || || | | | | || || | | | | || | | | | | | | ||| | | | | | | || | | | | | | | | | | | | | | | | | || ||| || | | | | | | || | | || | | | | | || | | | | | | || | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | || | | | | | | | | | | | | | | | | | || | | | | | | || || | | | | | | | | | || || | | | | || | || | | | | | | | || | | | | | |

08/01 08/03 08/05 08/07 08/09 08/11 08/13 08/15 08/17 08/19 08/21 08/23 08/25 08/27 08/29 08/31 09/02 VM Detection

| |

Rustock* SecuritySuite*

slide-21
SLIDE 21

21*

Date MD5

20 40 60 80 100 120 140

||| || | | |||||| | | | | | | | | | | | ||| || || | | | | || || | | | | || | | | | | | | ||| | | | | | | || | | | | | | | | | | | | | | | | | || ||| || | | | | | | || | | || | | | | | || | | | | | | | | | | | | | || | | || | | | | | | | || | | | || | | || || | | | | | | || | | | | | | || | | | | || | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | || | | | | | | | | | | | | | | | | | || | | | | | | || || | | | | | | | | | || || | | | | || | || | | | | | | | || | | | | | | | | || | | | | | | | | || | | | | | | || | | | || || | | | | || | | || | | | | | | | | | | | | | |

08/01 08/03 08/05 08/07 08/09 08/11 08/13 08/15 08/17 08/19 08/21 08/23 08/25 08/27 08/29 08/31 09/02 VM Detection

| |

VM Detection

| no | yes

SecuritySuite*MD5s*by*date*

Date MD5

20 40 60 80 100 120 140

||| || | | |||||| | | | | | | | | | | | ||| || || | | | | || || | | | | || | | | | | | | ||| | | | | | | || | | | | | | | | | | | | | | | | | || ||| || | | | | | | || | | || | | | | | || | | | | | | || | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | || | | | | | | | | | | | | | | | | | || | | | | | | || || | | | | | | | | | || || | | | | || | || | | | | | | | || | | | | | |

08/01 08/03 08/05 08/07 08/09 08/11 08/13 08/15 08/17 08/19 08/21 08/23 08/25 08/27 08/29 08/31 09/02 VM Detection

| |

slide-22
SLIDE 22

Geographic*Distribu8on*of*Malware*

  • Use*Tor*exit*points*in*15*different*countries*

– Verify*exit-node*IP*using*MaxMind*GeoIP*database* – Zlob*blocks*Tor*

  • PPI*clients*are*given*a*choice*for*installs*

22*

slide-23
SLIDE 23

Geographic*Distribu8on*of*Malware*

  • Use*Tor*exit*points*in*15*different*countries*

– Verify*exit-node*IP*using*MaxMind*GeoIP*database* – Zlob*blocks*Tor*

  • PPI*clients*are*given*a*choice*for*installs*

– Prices*vary*depending*on*install*loca8on* – Clients*mone8ze*hosts*differently*

  • Localiza8on*of*Fake*AV*
  • Stolen*credit*card*value*varies*
  • Legal*limita8ons*

23*

slide-24
SLIDE 24

Dis8nct*Geographic*Distribu8on*

24*

Frac8on*of*each*binaries*per*family*by*Tor*exit*country*

Fraction

0.0 0.2 0.4 0.6 0.8 Gleishug DE ES FR GB GR IT JP KR PT RU US Russkill DE ES FR GB GR IT JP KR PT RU US

Fraction

0.0 0.2 0.4 0.6 0.8 Rustock DE ES FR GB GR IT JP KR PT RU US SmartAdsSolutions DE ES FR GB GR IT JP KR PT RU US

slide-25
SLIDE 25

PPI*Arbitrage*

  • Affiliate*at*one*PPI,*client*

at*another!*

  • Exploit*price*differen8al*

– PPI*1:*Buys*1k*installs*for* $60*in*Greece* – PPI*2:*Sells*1k*installs*for* $40*in*Greece*

25*

slide-26
SLIDE 26

Conclusions*

  • First*systema8c*study*of*the*PPI*ecosystem*
  • Infiltra8on*provides*malware+intelligence+

– Used*to*perform*several*measurements*

  • Much*of*world’s*top*malware*using*PPI*
  • Regular*repacking*of*binaries*
  • Clients*target*geographic*loca8ons*

26*

slide-27
SLIDE 27

Ques8ons?*

27*