Make Big Bucks Distributing Malware (But Don't)

Vern Paxson, Professor of Electrical Engineering and Computer Sciences at the University of California, Berkeley, is famed in the security community for a 2002 paper titled How to Own the Internet in Your Spare Time (among many other feats). Based on a detailed analysis of the Code Red and Nimda worms, the paper promoted the need for a Cyber "Center for Disease Control." These days, Paxson is looking at a different mode for handling large scale security problems—infiltration. His keynote at the 10th International Conference on Malicious and Unwanted Software (MalCon 2015 for short) impressed me and the attendees with the straightforwardness of this approach.

Make Big Bucks in Your Spare Time
Want to make big bucks in the malware industry? You don't have to be a coder. Even if you have those skills, you don't have to learn all aspects of creating and distributing malware. There are various different jobs in the malware ecosystem.

The key figure in this ecosystem is the broker, the guy who knows business but not coding. He has two kinds of customers. Malware coders have nasty software that they'd like to get installed on many consumer PCs. It could be fake antivirus, ransomware, botnet components, just about anything. Then there are the affiliates, coders who have the resources to get arbitrary software installed on unprotected systems. They use techniques like drive-by downloads, spam, and phishing to inflict a downloader on victim systems.

Now the wheels start turning. Malware coders contract to pay the broker for getting their code installed on as many systems as possible. The affiliates get downloaders installed on as many systems as possible. The downloader contacts the broker, who supplies malware from the coders, probably multiple instances. And the affiliates get paid based on the number of installations. Everybody makes a buck in this Pay Per Install (PPI) system, and these networks are huge.

"There are a couple of brilliances here," said Paxson. "The broker doesn't do anything, doesn't break in, doesn't figure out exploits. The broker is just a middleman, taking profits. Affiliates don't have to negotiate with baddies or know what to do after breaking in. All of the members just have to do their part."

Bad Guys Have Bad Security
"Historically, detection of network attacks has been a game of whack-a-mole," noted Paxson. Smack down one attack, another pops up. It's not a game you can win.

His team tried a different approach against this PPI system. They captured samples of various downloaders and reverse-engineered them to determine how they communicate with their respective brokers. Armed with this information, they devised a system to blast the broker with requests for downloadable malware. Paxson calls this technique "milking" the malware broker.

"You'd think this would fail," said Paxson. "Surely the broker has some kind of authentication system, or rate-limiting?" But as it turns out, they don't. "The cybercrime elements that are not malware-facing are ten years behind in their own security, maybe fifteen," he continued. "They are customer-facing, not malware-facing." There is a second interaction by which the affiliate claims credit for the download; Paxson's team naturally skipped that step.

In five months, the experiment milked out a million binaries, representing 9,000 distinct malware families, from four affiliate programs. Correlating this with a list of the 20 most common malware families, the team determined that this kind of distribution could conceivably be the number one vector for malware distribution. "We found our samples were about a week ahead of VirusTotal," said Paxson. "We are getting it fresh. As soon as the brokers want to push it out, we are getting it. Once it's on VirusTotal you don't push it."

What Else Can We Infiltrate?
Paxson's team also took on websites that sell working accounts for many different services. He noted that the accounts are completely valid, and not precisely illegal, because "their only offense is violating Terms of Service." Facebook and Google cost the most per thousand, because they require phone verification. Twitter accounts aren't quite as expensive.

Recommended by Our Editors

Going After Affiliate Networks, Malware's Achilles' Heel

With Twitter's permission, the research group bought a large collection of fake accounts. By analyzing the accounts, including metadata supplied by Twitter, they developed an algorithm for detecting accounts created using the same automated registration technique, with 99.462% accuracy. Using this algorithm, Twitter took down those accounts; the next day, the account-selling websites had to announce they were out of stock. "It would have been better to terminate the accounts on first use," noted Paxson. "That would have created confusion and actually undermined the ecosystem."

You've surely gotten spam offering to sell you male performance supplements, "real" Rolexes, and such. The thing they have in common is that they actually have to accept payment and ship you the product. There are tons of links involved in getting the spam into your Inbox, handling your purchase, and getting the product to you. By actually purchasing some legal items, they found that the weak link in this system was getting the credit card transaction cleared. "Rather than try to disrupt the spam-spewing botnet," said Paxson, "we rendered it not useful." How? They convinced the credit card provider to blacklist three banks, in Azerbaijan, Latvia, and St. Kitts and Nevis.

So what's the takeaway? "With a really large scale Internet attack," Paxson said, "there's no easy way to prevent infiltration. Infiltration is significantly more effective than trying to protect each endpoint."

MalCon is a very small security conference, around 50 attendees, that brings academics, industry, press, and government together. It's backed by Brandeis University and the Institute of Electrical and Electronics Engineers (IEEE), among others. This year's sponsors include Microsoft and Secudit. I've seen a number of papers from MalCon appear a few years later, with more mature research, at the Black Hat conference, so I pay close attention to what's presented here.