Measuring*Pay-Per-Install:** The*Commodi8za8on*of*Malware*Distribu8on* Juan*Caballero,* Chris&Grier ,** Chris8an*Kreibich*and*Vern*Paxson* * IMDEA*SoGware*Ins8tute,*UC*Berkeley,** Interna8onal*Computer*Science*Ins8tute*
2*
3*
4*
Market*for*Malware*Installa8on* • Goal:&Measure&and&understand&the&the&pay4per4install& ecosystem * • Our*approach:* – Infiltrate*four*PPI*programs* – Develop*“milkers”*to*automa8cally*download*malware* – Download,*execute,*and*classify*malware*being*installed* • Insights*into*the*pay-per-install*business* – Real-8me*monitoring*of*changes*in*malware*ecosystem* – Types*of*clients*using*PPI* – Financial*impacts*of*botnet*takedown* 5*
Outline* • Background*on*pay-per-install* • Infiltra8on*and*monitoring*of*PPI* • Results*and*measurements* – Malware*being*installed*by*PPI* – Repacking*of*malware* – Geographically*diverse*distribu8on* 6*
PPI*Ecosystem* • Clients* – Pay*the*PPI* – Want*malware*installed* – Spambots,*informa8on* harves8ng,*rootkits,*fake*AV* • Pay-per-install*(PPI)* – Purchases*compromised* hosts*from*affiliates* – Resells*to*clients* • Affiliates* – Compromise*machines* – Execute*the*PPI’s*binary* 7*
PPI*Ecosystem* • Clients* – Pay*the*PPI* – Want*malware*installed* – Spambots,*informa8on* harves8ng,*rootkits,*fake*AV* • Pay-per-install*(PPI)* – Purchases*compromised* hosts*from*affiliates* – Resells*to*clients* • Affiliates* – Compromise*machines* – Execute*the*PPI’s*binary* 8*
PPI*Ecosystem* • Clients* – Pay*the*PPI* – Want*malware*installed* – Spambots,*informa8on* harves8ng,*rootkits,*fake*AV* • Pay-per-install*(PPI)* – Purchases*compromised* hosts*from*affiliates* – Resells*to*clients* • Affiliates* – Compromise*machines* – Execute*the*PPI’s*binary* 9*
Dropper*Lifecycle* Torpig& Rustock4dl& Rustock& 12&binaries&downloaded&& Pinit& Total&Time:&<5&minutes& PPI&exe& PPI&exe& PPI&exe& Ambler& PPI&exe& Pushdo& Zbot& Cutwail& Malware&exe& PPI&related&exe& 10*
11* PPI&InfiltraGon&and&Monitoring&
Infiltra8on*Summary* • 12*of*the*20*most*popular*families*of*malware* distributed*by*PPI*services* • Infiltrated*four*PPI*command*and*control*networks* – Con8nual*monitoring*of*C&C* – Download*new*binaries* – Download*from*geo-diverse*loca8ons* • Dropped*Malware* – 1,060,895*client*binaries*downloaded* – 9,153*dis8nct*binaries* World’s(Top(Malware ,*FireEye,*July*2010.** hfp://blog.fireeye.com/research/2010/07/worlds_top_modern_malware.html** 12*
PPI*Milking*System* 13*
Milking*PPI*Services* 14*
Running*Malware* GQ:&PracGcal&Containment&for&Measuring&Modern&Malware&Systems& C.*Kreibich,*N.*Weaver,*C.*Kanich,*W.*Cui,*V.*Paxson.*IMC*2011.* 15*
Classifying*Malware* 16*
Malware*Family*Coverage* 12*/*20*Being*dropped* by*PPI!* 17*
Most*Seen*Families:*Aug*2010* 18*
Binary*Repacking* • Repacking*or*cryp8ng* – Changes*program*content*without*changing*func8onality* – Frequency*reflects*concern*about*AV*signatures* * • PPI*client*binaries* – Depends*on*family*of*malware* – Average*repacking*every*11*days* • PPI*affiliate*binaries* – Repacking*done*by*PPI,*usually*daily* – Zlob*repacking*done*on-the-fly* 19*
14 | | | | 12 | | | | 10 | | | | Rustock* 8 | | VM Detection MD5 | | 6 | | | | 4 | | | | | | 2 | | | | | | 08/02 08/04 08/06 08/08 08/10 08/12 08/14 08/16 08/18 08/20 08/22 08/24 08/26 08/28 08/30 09/01 Date | | | | | | | | || | | | | || 140 | | | | | | | || | | | | || || | | | | | || 120 | | | | || | | SecuritySuite* || ||| || || | | | | | | | | | | | | | | | 100 | | || | | | || | | | MD5 VM Detection 80 | | | | | | | | | | || | || 60 | | | | | | | | | | | | | ||| | | | | | | | | | | | | | | || | | | | | | || 40 | || | | | | | || | | | | | | | | | | ||| || || | | | | | | | | | | | | | | | | 20 | | | | | | | | | | | | |||||| | | | | | | | | | | || || ||| | | | 08/01 08/03 08/05 08/07 08/09 08/11 08/13 08/15 08/17 08/19 08/21 08/23 08/25 08/27 08/29 08/31 09/02 Date MD5s*by*date*for*August,*2010*for*two*families*of*malware.* 20*
| | | | | | | | || | | | | || 140 | | | | | | | || | | | | || || | | | 120 | | || | | | | || | | ||| || || || | | | | | | | | | | | | | | | 100 | | || | | | || | | | MD5 VM Detection 80 | | | | | | | | | | || | || | 60 | | | | | | | | | | | | ||| | | | | | | | | | | | | | | | || | | | || | | 40 | || | | | | | || | | | | | | | | | | ||| || || | | | | | | | | | | | | | | | | 20 | | | | | | | | | | | | |||||| | | | | | | | | | | || || ||| | | | 08/01 08/03 08/05 08/07 08/09 08/11 08/13 08/15 08/17 08/19 08/21 08/23 08/25 08/27 08/29 08/31 09/02 Date | | | | | | | | || | | || | | | | | | | | | || | | | 140 | | | | | | | || | | | | || || | | | | | || | | | | | | | | | | | || | | | | | || 120 | | | | || | | ||| || || || | | | | | | | | | | | | | | | || | | | 100 || | | || | | | | | || | || | || | | | | || || | || | | | || | | | | MD5 VM Detection | 80 | | | | | | | | | | | | | || | | | || | | | | | || | | | | | | | | || | | || | 60 | | | | | | | | | | | | | | | ||| | | | | | | | | | | | | | | | || | | | || | | | | 40 | || | | | | | || | | | | | | | | | | ||| || || | | | | | | | | | | | | | | || | | | | | | | | 20 | | | | | | | | | | | | |||||| | | | | | | | | | | | | || || ||| | | | 08/01 08/03 08/05 08/07 08/09 08/11 08/13 08/15 08/17 08/19 08/21 08/23 08/25 08/27 08/29 08/31 09/02 Date VM Detection SecuritySuite*MD5s*by*date* | no | yes 21*
Geographic*Distribu8on*of*Malware* • Use*Tor*exit*points*in*15*different*countries* – Verify*exit-node*IP*using*MaxMind*GeoIP*database* – Zlob*blocks*Tor* • PPI*clients*are*given*a* choice *for*installs* 22*
Geographic*Distribu8on*of*Malware* • Use*Tor*exit*points*in*15*different*countries* – Verify*exit-node*IP*using*MaxMind*GeoIP*database* – Zlob*blocks*Tor* • PPI*clients*are*given*a* choice *for*installs* – Prices*vary*depending*on*install*loca8on* – Clients*mone8ze*hosts*differently* • Localiza8on*of*Fake*AV* • Stolen*credit*card*value*varies* • Legal*limita8ons* 23*
Dis8nct*Geographic*Distribu8on* Gleishug Russkill 0.8 0.6 Fraction 0.4 0.2 0.0 DE ES FR GB GR IT JP KR PT RU US DE ES FR GB GR IT JP KR PT RU US Rustock SmartAdsSolutions 0.8 0.6 Fraction 0.4 0.2 0.0 DE ES FR GB GR IT JP KR PT RU US DE ES FR GB GR IT JP KR PT RU US Frac8on*of*each*binaries*per*family*by*Tor*exit*country* 24*
PPI*Arbitrage* • Affiliate*at*one*PPI,*client* at*another!* • Exploit*price*differen8al* – PPI*1:*Buys*1k*installs*for* $60*in*Greece* – PPI*2:*Sells*1k*installs*for* $40*in*Greece* 25*
Conclusions* • First*systema8c*study*of*the*PPI*ecosystem* • Infiltra8on*provides* malware+intelligence+ – Used*to*perform*several*measurements* • Much*of*world’s*top*malware*using*PPI* • Regular*repacking*of*binaries* • Clients*target*geographic*loca8ons* 26*
Ques8ons?* 27*
Recommend
More recommend