Those findings come from a study presented at August's USENIX Security Symposium in San Francisco. The investigation into "the commoditization of malware distribution" was conducted by security researchers at IMDEA (the Madrid Institute for Advanced Studies), the International Computer Science Institute, and the University of California, Berkeley.
Multiple security researchers have infiltrated black market forums and recorded PPI pricing. Others have conducted a top-down analysis of the PPI industry by becoming affiliates of services. But for this new study, the researchers said they were the first to take a bottom-up approach, studying "the PPI ecosystem as seen from the perspective of the downloads pushed out by PPI services down to their victims."
Their research, conducted from August 2010 to February 2011, started by infiltrating four PPI services--LoaderAdv, GoldInstall, Virut, and Zlob--and gathering the malware executables they distributed to their affiliates, which infect PCs for the PPI provider. Along the way, the researchers said they "harvested over a million client executables using vantage points spread across 15 countries." Based on a study of 313,791 binary files captured in a one-month period, they found that 12 of the world's 20 most prevalent malware families rely on the PPI industry for distribution.
The researchers also found clear distinctions between the PPI industry--which uses "silent installs" to gain access to PCs, install a downloader, and push malicious applications--and botmasters, who use the malware to control the PC via command-and-control (C&C) servers. (Some botmasters, however, also serve as PPI affiliates.)
Interestingly, PPI providers repack--as in, recompile--their downloaders on average every 11 days, although one service did it twice per day. Repacking generates a new piece of software, which helps the downloader software evade signature-based security defenses, at least until the security vendor spots the new malware and creates a new MD5 hash signature for its detection engine.
Some PPI providers, such as Zlob, also offer a Web service that allows affiliates to repack downloaders on demand. According to the researchers, "we requested the downloader for a single affiliate 27 consecutive times, resulting in 27 distinct, working Zlob binaries with identical sizes but differing MD5 hashes."
What happens after a unique PC has been infected and pressed into botnet service? Botmasters might push new malware. They might also activate or download keystroke loggers that harvest sensitive data, including bank account numbers and passwords, from the infected PC. Likewise, the infected computer can be turned into a spam relay, or used to launch distributed denial-of-service attacks against targeted websites.
While many anti-botnet efforts to date have focused on taking down botnets and arresting botmasters, the researchers suggested also targeting the PPI service industry, since it provides a quick restart option for anyone whose botnet gets busted.
"Even if defenders can completely clean up a botnet (as opposed to merely severing its C&C master servers), the botmaster could return to business-as-usual through modest payments to one or more PPI services," said the researchers. "Given that multiple malware authors share use of the same PPI services, and that the number of PPI services seems to be significantly smaller than the number of malware families, PPI services are good targets for future takedown efforts."
The new research comes with a cost. Namely, expect the PPI industry to attempt to block similar studies in the future. "In particular, we expect PPI services to harden their C&C protocols with more robust use of cryptographic techniques and incorporation of anti-virtualization and triggering mechanisms to increasingly hamper dynamic analysis," said the researchers.
Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)