An analysis of the pay-per-install underground economy

Filed Under: Malware

USENIX logoA few weeks ago at the USENIX Security Symposium, researchers Juan Caballero, Chris Grier, Christian Kreibich and Vern Paxson presented their paper "Understanding the Underground Economy," a look into the inner workings of the pay-per-install underground economy.

What is pay-per-install? Security researchers use the term to describe one of the most popular malware distribution methods. In the malware economy, criminals have specialized to perform specific services and contract with one another the same as in the legitimate world.

Amazon Web Services logoFor example, you may be familiar with cloud computing and Amazon's legitimate EC2 (elastic compute cloud) service, which allows you to rent storage space and computing capacity by the hour.

Similarly, criminals have been compromising PCs and "renting" them out to other criminals to send spam, perform DDoS attacks or install additional malware on them. Criminals adopted cloud computing before most of us had ever heard of the idea.

Pay-per-install (PPI) service providers interact with two other criminal groups, clients and affiliates. Clients have malware they want distributed and affiliates infect people's computers to distribute the malware. The PPI providers are just brokers.

PPIs provide affiliates with a downloader bot that retrieves instructions on where to go to retrieve the malware they would like to install. All the affiliate needs to do is install the downloader bot.

The paper reveals the amount of money PPIs will pay their affiliates per 1,000 installs of these bots in a given country. The low end hovers around $13 for "other" nations, and at the high end, $110 for Canada and Great Britain, and $150 for the United States.

Gold Install pay-per-install rates

Measuring the malware downloads completed by some of the PPIs, the researchers found that 12 of the top 20 malware families were distributed using this method over the course of their study, which surveyed 1,060,895 samples.

They also measured how frequently the malware binaries and download bots changed in an attempt to evade anti-virus. The malware itself changed every 11 days on average, whereas the download bots changed daily.

Some malware families, like rogue security software/fake anti-virus, changed at least daily and sometimes multiple times per day.

One of the more interesting results of this research was the specific preferences that distributors of different types of malware had for the countries where they install their payloads.

PPI geographic distribution

We can see that Gleishug, which hijacks search engine queries, targets Americans, whereas Rustock, a spam bot, is an equal opportunity exploiter.

Russkill, a DDoS malware, seems to prefer Asian hosts. This could be because the price per thousand victim computers is cheaper, or it could be because the target of the attack is in the region.

The paper provides an interesting glimpse into the inner workings of the criminal underground and shows some of the financial factors we're up against when we try to eliminate the threat.

, ,

You might like

5 Responses to An analysis of the pay-per-install underground economy

  1. Jack · 1491 days ago

    So where is the money infused into the system? WHo is offering up the money to fund the incentives to install the malware.

    Don't tell me how much I can earn installing malware, tell me who we need to go after to cut off the funding.

    • Machin Shin · 1491 days ago

      To cut of the funding you need to go after the ignorant computer users who fall into trap of paying the fake AV, buying the Viagra, or whatever else they are marketing. So long as there are people willing to throw their money away there will be people ready to take it.

    • dotxed · 1490 days ago

      ... and there will be always people willing to throw their money away, so do not expect an improvement.

  2. BSG · 1491 days ago


    great article--excited to hear your presentation 9/13 in DTC--can't wait!


    my guess would be the RBN/Other shady state-funded type of groups. When you have (effectively) a mafia supporting cybercrime and receiving funds from after-effects of malware/scareware, they can always put more money back in.

  3. Chris Grier was interviewed on Pauldotcom this past Thursday night. Check out the interview.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at