The Channel logo

News

By | John Leyden 19th March 2008 16:32

Botnet farmers play the international exchange game

Oz installs worth 30 times more than Asia

Spyware authors are prepared to pay botnet farmers or webmasters much more for infecting PCs in the UK or Australia than machines in continental Europe.

Selling "installs" is a common practice in the cyber-underworld, the most notable example being in 2005 when Jeanson Ancheta was arrested for building a 400,000-strong botnet and installing adware from 180 solutions for a fee of $60,000. Cybercriminals have since moved on to installing spyware onto compromised machines.

Zombie machines infected with Trojan horse malware can be used to relay spam or launch denial of service attacks. Compromised machines can be also be pointed to websites from which additional items of malware can be downloaded. The practice is normally used to update Trojan code, but it also creates a means for cybercrooks to make a "nice little earner".

The income that can be earned grows with the numbers of installs, and varies based on the geographical location of an installation. For example, installing spyware on 1,000 machines in Australia earns $100 but only $50 in the US, and a measly $3 in Asia. A sample price list obtained by net security services firm sheds fresh light on the phenomenon.

MeesageLabs culled its figures from a malware distribution site in Russia, the existence of which we've verified. The site is loaded with malware and for that reason we'll refer to it by a shortened version of its name, installscash.org.

The site boasts that it already works with 300 webmasters and has four years of experience to fall back on. It boasts of friendly support services and prompt payment. All in all it's all very cybercrime 2.0.

The site boasts: "Anybody can work with our partnership program InstallsCash! You have to do only one thing! Put a short one line iframe code on ur page(s) and START MAKING MONEY!"

"You won't lose your unique visitors with us! You can also have your own exe," it adds.

Following these instructions by the addition of a simple line of code boobytraps web pages with code that attempts to install spyware onto the PCs of visiting surfers. Infected sites might be hosted on a hacked site, a site hosted on a web server or even a botnet-hosted web page.

Instructions could then be issued to the offending botnet computers to visit the page, download the code and execute it. Once the spyware is installed, it would register with the "seller" and the "affiliate" would then be paid.

While MessageLabs has not yet identified what the downloaded spyware does, it is updated every three days to evade detection. Installscash.org states: "Our program (size: 3 Kb) is loaded to the user and it changes the homepage and installs toolbar and dialer. It’s activated and revealed in 15-30 minutes after download."

MessageLabs notes the similarity between installscash.org and a recently defunct site, iframedollars.biz, which was also hosted in Russia. ®

comment icon Read 6 comments on this article alert Send corrections

Opinion

Chris Mellor

Drives nails forged with Red Hat iron into VCE's coffin
Sleep Cycle iOS app screenshot

Trevor Pott

Forget big-spending globo biz: it's about the consumer... and he's desperate for a nap
Steve Bennet, ex-Symantec CEO

Chris Mellor

Enormo security firm needs to get serious about acquisitions

Features

Windows 8.1 Update  Storeapps Taskbar
Chinese Buffet self-service
Chopping down the phone tree to scrump low-hanging fruit
An original member of the System/360 family announced in 1964, the Model 50 was the most powerful unit in the medium price range.
Big Blue's big $5bn bet adjusted, modified, reduced, back for more
Microsoft CEO Satya Nadella
Redmond needs to discover the mathematics of trust