Saturday, June 27, 2009

Making Money with Your Own Stealthy Botnet - Part II

Continuing on from yesterdays discussion of making money from botnets the stealthy way using a customer advertiser approach, lets look at another "if I had a big botnet I'd..." vector for making real money.

2. Pay-per-Installs
Pay-per-installs are a more recent permutation of click-based advertising payment schemes, except in this case the affiliate payment model is premised on getting others to install a piece of software.

As the owner of a Web site you get paid a small amount for each time a visitor to your site downloads a software package and installs it on their computer. Sounds dubious to you? Well, yeah, it's an odd business model, but there are quite a few service providers in this realm - so it looks like someones making money from the system somewhere. (note: there's a more detailed discussion on how the pay-per-install business operates at the end of this blog).

Exploiting this payment system with a botnet appears to be pretty obvious. With 50k victim computers under your control you simply remotely install the software packages on each of them and collect the cash at the end of the day. It's so obvious in fact that there are quite a few botnet operators out there already doing this. Early last year I was alerted to an enterprise-level victim that had several thousand infected hosts worldwide and was trying to figure out why these hosts were routinely installing and installing software - unaware that they had been compromised and were under the control of a bot master conducting a pay-per-install fraud.

But, even though this particular scam is already in operation, it looks to me to be an interesting way of making money from a botnet. And, based upon what I've seen and heard, there is still quite a bit of room for "improvement".

If I owned a botnet of 50,000 victims, I'd aim to make it more stealthy than whats out there today. Some obvious advancements would include:
  1. Stealthy installation. With the bot agents already operating with administrator or system-level permissions, I'd make sure that an package installations are done without any user visible prompts and confirmations. In some cases this may be quite difficult because several of the more popular (and higher paying) pay-per-click affiliate systems attempt to thwart "illegal" installation of their software and have hard-coded clickable popup boxes or prompts for user supplied information. That said, most bot agents today have access to scripting languages and I'm certain I could automate the clicking and filling in of any forms - so that's not going to be a problem.
  2. Log management. From what I've observed so far, it's going to be important to manage the application and security logs on the host. I'm going to have to either prevent my software installations from being logged and audited, or to erase any entries that crop up. This would be pretty easy for home PC's, but may be more difficult for enterprise victims that report their logs centrally. In which case, going with the former method (preventing the logs from being updated) is going to be preferable. Again, this is straight forward as long as my bot agent is operating with system permissions.
  3. Timed uninstall. I'm going to want to have a mechanism for automatically uninstalling any software packages that I've installed. Ideally I'd set that up in advance and ensure that there's some kind of scheduling ability in my bot so I don't have to remember to uninstall it myself (or if I temporarily loose C&C over the host at any stage).
  4. Fatal Error Simulator. It'll be helpful to have a component that'll generate a "fatal error" kind of message to the user of the computer. Ideally I'd aim to install any pay-per-install software packages stealthily and when the user is not currently interacting with the computer (e.g. monitor if the screen is locked, a screen-saver is running, or whether the mouse and keyboard haven't been tuched for 10+ minutes) - I might even monitor the local hosts time and do my installations in the wee hours of the morning. Regardless of the scheduling aspect, throwing up a fake fatal error message either instructing the user to reboot (or timing down to a forced reboot) or just blue-screening the host, will be handy if any of the packages require a reboot to function (e.g. some packages require a reboot before they phone-home and the pay-per-install vendor ponies up the money).
  5. Hide the popups. It seems that many of the better paying pay-per-install packages are effectively spyware with ad popup capabilities. I'd definitely want to make sure that those popups never appear on the screen and bother my poor victim user (I'm trying to be stealthy remember) - and I'll probably want to "click" on a few of the ads just in case someones monitoring whether the software was actually installed legitimately and is being used.
Counting the Money
Given the investment necessary for configuring my botnet to conduct this pay-per-install fraud, how much money could I be expected to make?

If I was to go with one of the affiliate providers, here's what I'd be looking at on a per package install basis (assuming the majority of my botnet is in the US)...
Actually the selection process isn't quite as obvious as it may seem. There's all sorts of "hidden" criteria for payment with the pay-per-install organizations that appear to offer the most. Regardless, lets knock off the first two and see what $0.13 to $0.60 could earn me...

Based upon a botnet of 50,000, lets assume that I can roll out the pay-per-install packages to 90% of them - that'll yield between $5,850 and $27,000. Not too shabby. With a bit of luck I can install a new package at least once per week, and uninstall older packages after I've been paid for their installation (allow 4-6 weeks). That means I could potentially be earning something like $20k-100k per month!

I suspect however that I'd have to split my pay-per-install affiliation amongst multiple providers as they'd soon get wise to the fraud if they had to hand over that amount of cash on a monthly basis - so I'd probably have to throttle things back a little if I'm to remain under their detection radar. I'd probably aim to earn about $10k per month through this botnet money-making scheme without too much fear of being spotted. That said, some of these pay-per-install vendors appear to have really open minds - and aren't shy of doing business with known botnet operators.

That's a reasonable return on my investment in setting up the delivery mechanics of the fraud. And there's no reason why I can't continue to use the botnet simultaneously for other fraud schemes. It's not going to make me rich, but it'll be handy to cover the costs of growing my botnet further.

The Pay-per-Install Business
When I first encountered pay-per-install vendors, it was back in the mid-1990's and shareware was all the craze. Some software vendors cottoned on to the fact that they could make more money if their new application was widely available and people installed it - thereby eventually registering the software or purchasing the subscription. Given how competitive (and crowded) the shareware distribution system was back then, paying a BBS operator or Web master to promote their software above other products made a lot of sense. Payments of up to $20 per successful installation and user registration weren't uncommon.

Since that time, the model has been refined and business permutations compete against each other. There are even some pay-per-install companies that have turned this model in to a successful affiliate marketing model.

The software being distributed by many of these pay-per-install vendors today isn't precisely something most computer users would want running on their computers. If it's not an actual virus (or bot), then it's going to be spyware or adware. More than likely, it'll be the latter - as this is how many of the pay-per-install operators make their money.

Getting started in this business as an affiliate is simple. There are plenty of sites and forums providing advice and tactics for making money installing this unwanted software. A quick google for "pay per install forums" will take you to over 12,000,000 sites/pages of information and advice.

Then there are several review sites - complete with star ratings of the pay-per-install vendors.

Finally, here's the FAQ from one such pay-per-install vendor (which I don't really believe in their non-virus claims - but you get the picture).
  1. What we pay for?

    We pay for our promotional software installation with your affiliate ID.

  2. Are you making traffic quality checks?

    We are making the analysis of each affiliate traffic. If in two weeks we do not leave on a recoupment point, we keep the right to suspend work with an affiliate, we pay to him for the poor-quality traffic ( exactly so much how many we earn) and leave him.

  3. Is your software a virus?

    Emphatically - no ! Our program does not inflict harm the computer of user and steal no personal information. The primary purpose of our software is advertising (such as popup advertisements or hijackin search result) and nothing anymore.

  4. Do you allow SPAM traffic?

    NO, exposed affiliates will be blocked and won't paid.

  5. Do you have active referral program?

    Up to know we don't have referral program for our affiliates, but we are working on such program implementation.

  6. What is your actual install rates?

    Basic rates are listed here, but after week of stable installs flow you rates may be reconsidered by contacting support.

  7. What is your minimum payout?

    The minimum payout for everybody is $10.

  8. What payment methods are available?

    Webmoney (0.8% payment commision)
    WIRE transfer ($50 payment commision)
    ePassporte (1.8% + $2 payment commision)
    PayPal (3.5% payment commision)

It's interesting to note that the grammar and spelling doesn't appear to have come from a native English speaker, and that this particular site is hiding it's registrant details via

No comments:

Post a Comment