Denizens of the malware underworld who sell access to compromised computers do so at varying rates depending on where the machines are located, researchers told the Usenix Security Symposium this week.
The researchers followed what they called the pay-per-install (PPI) industry, which obtains infected machines from which malware can be launched and sells access to these machines to parties looking for someplace to execute malicious code. Sometimes the PPI sellers hire middlemen to supply the compromised machines, and the PPI dealer retails them.
The PPI sellers sell access to compromised machines by region, charging more for those in the U.S. than for those in Asia, for example. The going rates are $110 to $180 per 1,000 machines in the U.S. and United Kingdom, $20 to $60 for countries in the rest of Europe and less than $10 for anywhere else.
The research, called "Measuring Pay-per-install: The commoditization of Malware Distribution," was awarded outstanding paper at the show. It was written by a team headed by Juan Caballero of the IMDEA Software Institute at the University of California at Berkeley.
In their analysis, the researchers say certain families of malware were targeted at specific regions. For example, Ertfor, SecuritySuite and SmartAdsSolutions families targeted the U.S. and Europe; Gleishug hit just the U.S. and Rustock seemed to scatter everywhere.
This seems driven by the type of activity the malware engages in, they say. Rustock, a spambot, requires little more than an IP address for spam to be sent to, and it was sent indiscriminately to compromised computers around the globe.
On the other hand, SecuritySuite, a fake antivirus scam, includes versions written in different languages, so attackers using it target specific versions for specific countries. The software may need to support specific regional online payment services as well, the researchers say.
The researchers sorted all the malware they found into families, 20 in all, with seven of them being distributed by more than one PPI.
The first step is installing a downloader, software that seeks and downloads malicious software to the victim machine. To avoid detection, PPIs use packer programs that mask the signatures of the downloaders. On average, the downloaders were repacked every 11 days, with some, such as SecuritySuite, being repacked twice a day.
Some downloaders connect with URLs hardwired within them to access malware. Others connect with command and control servers that decide what malware to send them.
During the course of their testing, the researchers found that command and control servers could be sensitive to the machines that connect with them. They found, for instance, that while the researchers were refining their code to eavesdrop on PPI vendors, some command and control servers detected that the eavesdropping code didn't represent real zombie machines and blacklisted their IP addresses.