Measuring Pay-per-Install: The Commoditization of Malware Distribution

TitleMeasuring Pay-per-Install: The Commoditization of Malware Distribution
Publication TypeConference Paper
Year of Publication2011
AuthorsCabellero, J.., Grier C., Kreibich C., & Paxson V.
Other Numbers3134

Recent years have seen extensive diversification of the “underground economy” associated with malware and the subversion of Internet-connected systems. This trend toward specialization has compelling forces driving it: miscreants readily apprehend that tackling the entire value-chain from malware creation to monetization in the presence of ever-evolving countermeasures poses a daunting task requiring highly developed skills and resources. As a result, entrepreneurial-minded miscreants have formed pay-per-install (PPI) services—specialized organizations that focus on the infection of victims’ systems.In this work we perform a measurement study of the PPI market by infiltrating four PPI services. We develop infrastructure that enables us to interact with PPI services and gather and classify the resulting malware executables distributed by the services. Using our infrastructure, we harvested over a million client executables using vantage points spread across 15 countries. We find that of the world’s top 20 most prevalent families of malware, 12 employ PPI services to buy infections. In addition we analyze the targeting of specific countries by PPI clients, the repacking of executables to evade detection, and the duration of malware distribution.


This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS:0433702 (“Center for Internet Epidemiology and Defenses”); CNS:0905631 ("Invigorating Empirical Network Research via Mediated Trace Analysis"); and CNS:0831535 ("Comprehensive Applications Analysis and Control"), and by the Office of Naval Research. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation or the Office of Naval Research.

Bibliographic Notes

Proceedings of the 20th USENIX Security Symposium (Security '11), San Francisco, California

Abbreviated Authors

J. Cabellero, C. Grier, C. Kreibich, and V. Paxson

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings