The Channel logo


By | John Leyden 19th March 2008 16:32

Botnet farmers play the international exchange game

Oz installs worth 30 times more than Asia

Spyware authors are prepared to pay botnet farmers or webmasters much more for infecting PCs in the UK or Australia than machines in continental Europe.

Selling "installs" is a common practice in the cyber-underworld, the most notable example being in 2005 when Jeanson Ancheta was arrested for building a 400,000-strong botnet and installing adware from 180 solutions for a fee of $60,000. Cybercriminals have since moved on to installing spyware onto compromised machines.

Zombie machines infected with Trojan horse malware can be used to relay spam or launch denial of service attacks. Compromised machines can be also be pointed to websites from which additional items of malware can be downloaded. The practice is normally used to update Trojan code, but it also creates a means for cybercrooks to make a "nice little earner".

The income that can be earned grows with the numbers of installs, and varies based on the geographical location of an installation. For example, installing spyware on 1,000 machines in Australia earns $100 but only $50 in the US, and a measly $3 in Asia. A sample price list obtained by net security services firm sheds fresh light on the phenomenon.

MeesageLabs culled its figures from a malware distribution site in Russia, the existence of which we've verified. The site is loaded with malware and for that reason we'll refer to it by a shortened version of its name,

The site boasts that it already works with 300 webmasters and has four years of experience to fall back on. It boasts of friendly support services and prompt payment. All in all it's all very cybercrime 2.0.

The site boasts: "Anybody can work with our partnership program InstallsCash! You have to do only one thing! Put a short one line iframe code on ur page(s) and START MAKING MONEY!"

"You won't lose your unique visitors with us! You can also have your own exe," it adds.

Following these instructions by the addition of a simple line of code boobytraps web pages with code that attempts to install spyware onto the PCs of visiting surfers. Infected sites might be hosted on a hacked site, a site hosted on a web server or even a botnet-hosted web page.

Instructions could then be issued to the offending botnet computers to visit the page, download the code and execute it. Once the spyware is installed, it would register with the "seller" and the "affiliate" would then be paid.

While MessageLabs has not yet identified what the downloaded spyware does, it is updated every three days to evade detection. states: "Our program (size: 3 Kb) is loaded to the user and it changes the homepage and installs toolbar and dialer. It’s activated and revealed in 15-30 minutes after download."

MessageLabs notes the similarity between and a recently defunct site,, which was also hosted in Russia. ®

comment icon Read 6 comments on this article alert Send corrections


Alexandre Mesguich

Change is order of day as tech giants shift strategy gears

Frank Jennings

Confused? No problem, we have 5, no 6, no 7... lots of standards

Chris Mellor

VC sequence could end not with a bang, but a whimper
Sad man stares glumly over boxed contents of desk. Image via shutterstock (Baranq)


money trap conceptual illustration
Big boys snare the unwary with too-good-to-be-true deals
Angus Highland cow
Pet carriers not wanted for whitebox stampede
Sorry OpenStack and Open Compute, we're not all Facebook
Gary Kovacs, CEO of AVG. Pic: World Economic Forum
Scammy download sites? Government snooping? Run of the mill for Gary Kovacs