Pay-per-Install Malware Tries New Business Model

In an age in which money is king, I was surprised to discover this week a new forum that offers many malware for free. I found a post, below, as well as various announcements on the Net that call this site a botnet paradise.

Curious, I attempted to register. After a one-day wait, I was able to reach the packages. This forum was just created and was open to registration for seven days (from September 9 to 15). After this date it will become private, according to a decision taken by a majority of its subscribers.

For now, most of the posts are from the site administrator and a few global moderators. Initial topics unconcerned with sales are just copied from other blogs (recent or old) without any credit for the authors. In the sellers areas, the most interesting offers appear in the next image.

People searching for pay-per-install offers are directed to statsbusiness.net and Best AV. Statsbusiness seems to be the new label for InstallConverter, an old affiliate platform analyzed in depth by Kevin Stevens at BlackHat 2010. Statsbusiness requires an invitation code to join. This code is freely given in a post.

It shouldn’t be necessary to introduce Best AV. In July, international law enforcement struck hard at the underground scareware (fake AV) market. Best AV disconnected its site from the web after explaining it was “impossible to pay advertisers on time and in full.” Now we find Best AV appearing at a new URL, showing the business is continuing.

The pay-per-install forum sponsors services that will install malware for a price. Many countries are available, though not Russia and some others in Eastern Europe. The four offers I quoted (in the image) refer to installation services whose websites were recently unavailable. I suspect all these services reach a unique group that is engaged in designing a new business model they hope will be more discreet.

Pay-per-install businesses can be temporarily compromised by welcome law enforcement action, but the crooks will always find a way to return.