Researchers at the ongoing USENIX Security symposium have offered some fresh insight into the specifics of how the malware underworld values compromised computers which are part of the ever growing and lucrative bot net trade in a presentation of their study called “Measuring Pay-per-install: The commoditization of Malware Distribution“. The paper written by a team headed by Juan Caballero of the IMDEA Software Institute at the Madrid Institute of Advanced Studies being awarded the “outstanding paper” award at the show.
Most people are probably already well aware that zombie computers controlled by bot nets are used for various purposes, some simply commercial and some far more nefarious. In the past a compromised machine was often valued along different lines, hardware resources and available bandwidth often proved the most important factor, but now a days the simple geographic location of the attributed IP address connected to the machine is starting to become the defining benchmark in valuing a zombie’s worth.
This is presumably due to various reasons but one obvious one that I can think of as being potentially lucrative and useful is due to the fact that over the past few years the Internet seems to unfortunately be becoming more and more segmented, classified and tracked based off of an IP’s geographic location. A growing amount of online services and advertisers specifically the big ones have set access controls and limited or locked users out of service usage such as online payment services or revenue sharing schemes purely based of the IP’s geo-localization.
The researchers at the symposium went into a bit of detail on what they call the pay-per-install (PPI) industry and how access to these zombie machines are sold to parties looking for resources to execute malicious code on in order to spread yet more malware or simply to engage in other deceitful and geo-localized circumvention schemes. They even explained how the industry has become so well established that has even spawned a whole slew of traders, middlemen and dealers who all engage in various facets of trading and distributing these zombie machines almost like any other widespread commodity in an established and organized marketplace.
The so called sellers in this PPI marketplace categorize and sell access to the compromised machines primarily based off geographic location rather than other factors such as hardware specs or connection speeds, they then set a different set of rates for each area. For example machines in North America, particularly the U.S. and Canada go for far higher rates than those in South America or Asia. They even gave some examples of apparently widespread known going rates for such bulk purchased zombies, citing prices anywhere from around $110 to $180 for 1,000 machines in the U.S. and U.K. and between $20 to $60 for countries in the rest of Europe. Everywhere else they said the machines usually went for around $10 per thousand and sometimes even far less.
The researchers also classified the different types of malware they came across into 20 distinct families and explained and provided examples of how specific families of malware intelligently get targeted at specific geographic regions and at other times are simply spread indiscriminately.
This is done by installing hidden downloader clients and sometimes even daemons that are timed to periodically seek and receive instructions to download yet more malicious software and corresponding updates onto the victims machine. These downloader trojans are the most important component in the industry far more so than individual malware which can often be discovered or removed while still leaving the downloaders intact. Therefore these PPI’s downloaders go to exhaustive and highly sophisticated lengths in order to remain undetected using various packer programs and polymorphic software updates to try and mask the downloaders signatures. The researchers said that on average these downloaders were repacked and adjusted every 11 days with some doing so even multiple times per day which as you can imagine can potentially make it very difficult to tie a signature to.
They explain how some of these malicious downloader trojans were hard-coded with specific URL’s to access while others were far more dynamic and were sent around to various command and control servers who then in turn sent further instructions on where to connect to get their malware from. These command and control servers in many cases were also found to have sophisticated IDS capabilities and were actually being policed and monitored closely by their owners. The researches IP’s were apparently blacklisted and blocked several times while trying to probe and eavesdrop on these machines in order to conduct their research. The command and control servers in these cases were basically able to detect and differentiate between zombies fully under their their control and those that were potentially being manipulated and modified by experienced users in order to try and backtrack or potentially even override them.
This is all very highly sophisticated stuff indeed and these bot net operators are clearly very cautious and wary of protecting their own networks whether that be from their competition, law enforcement or simply curious hackers looking to learn more. There are evidently some very dedicated and bright people out there working long and hard hours on these bot nets, it’s basically their full time job and they seem to be making pretty good money out of it, but of course we already knew that.