MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Pirated Edition. Affiliate program Pay-per-Install

Affiliate programs are a growing business model more profitable for criminals and create a complete circuit of spreading / malware infection among many other alternatives, encouraging its customers with a percentage of money they get in terms of success their own business.

One of the systems with greater uptake in this business model is provided by the facility payment, Pay-per-Install, where every customer gets the money for the installation of malware. That is, only to propagate malware and wait for someone to become infected.

In this circuit, each member can be either a single person as a botnet, because obviously the economic return generated by spreading the malware offenders provided by the affiliate system is massified, and botmaster benefits from a wider economic gap within a shorter time span, in addition to other veins fraudulent economically generated by botnets.

Another of these affiliate programs is Pirated Edition, whose access panel can be seen in the picture below.

Looking into the affiliate system, we find extremely minimalist model that only allows the client-offender check the amount of money earned and download the malware to spread, including updates to this.

This malicious code whose default name is limew.exe (757eda0929b94ea104a1a80825dee3e2) has a very low detection rate. According to the report of VT, is only detected by 8 of 41 AV engines.

When run, it's reported to true affiliate program that is behind this criminal circuit, in this case, answers

/get2.php?c=ROBFNNDI&d=26606B67393C34322E64636F317E3E3D2121222B25263078747D456E757923271416411A111410015D404E1618156A1971090A03700302010C090B7D7D0C07790305727474047E060C7072786A2F27212634206E6563677130303E666C6E3866505404004204020A55584C041F1B0B1D4D442D42522A021413444A4B4C494E4CB3B5B7B0A2F5F4E8EBB4CFF3FCE1E1FDF5E3BCD6CCD0B0FBFCA8C5FEA1ACB8FCCCCFD6FCC1989681DF9F9E969C8BC892808394D7D1D9D7CE85898A8B8C8D8E8FF1E7A1ADA0A9FBAAA9A5BDAABEA8E3BDB5A2B7B2B7BDF8BBB7BABBB7B8B2B3BE898FC48A80849282D5D8D8D3DDDAD6DDC8C7C6D5B1BAA4 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Cache-Control: no-cache

However, this is only one side presented the strategy and that the same IP ( other domains are resolved that each of them carries the same template.

It's worth mentioning a particular detail of the policies of this affiliate program. To obtain payment for each installation of malware, it must infect computers that are in the following countries: Australia, Belgium, Brazil, Canada, Czech Republic, Denmark, Estonia, France, Germany, Greece, Finland, Hungary, Italy, Ireland , Kuwait, Lithuania, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, Slovakia, Spain, Sweden, Switzerland, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States and Japan . And as a payment system using Epassporte services, AlertPay, PayPal and Webmoney.

Related information

0 comentarios:

Post a Comment