Pay-Per-Install Analysis – Part One

Posted by on Tuesday, June 22nd, 2010  |  8,312 views

What is Pay-Per-Install(PPI)?

Pay-Per-Install is a system where people get paid for installation of software, 9 times out of 10 without the knowledge of the end-user.  The amount the affiliate gets paid depends which country the victim is in, countries like USA normally get the highest rates, while other less-known countries get little or nothing.  Some companies have existed since 2004 and even today still carry on pumping out various malware types.  Banking trojans, downloaders, spam-bots, backdoors, proxy-bots, rootkits, any “software” will do with these guys.

I managed to gain access to some of these companies, some of which aren’t publicly known, and invite only.

Earning4U

This is a company that has existed for a long time.  Was previously called InstallsCash, and before that IframeDollars.  IframeDollars was a known associate of the RBN.

Here you can see the stats panel of Earning4U, you can see the date, how many downloads they had, table of countries which they’ve installed in, how many unique installs they’ve got (unique installs are installs from a single IP/PC, multple installations on the same PC won’t count), and the amount of money these installs have earned them.

Image

Another bad thing is that the loader is updated often to avoid Antivirus detections, it looks like they update the main EXE loader every 3 or 4 days.

This is how much Earning4U pays for 1000 unique installs per country(US dollars).

United States         180
United Kingdom    110
Netherlands    30
France    30
Poland    20
Italy    65
Germany    30
Spain    30
Australia    55
Greece    30
Other    20
Asia    8

This is a list of strings from the unpacked executable provided by Earning4U.

0×000001D0 0×00000005 .text
0×000001F7 0×00000006 `.data
0×00000220 0×00000008 .textbss
0×00000248 0×00000006 .rdata
0×0000026F 0×00000006 @.rsrc
0×00000297 0×00000007 @.debug
0×000002B0 0×00000007 /c del
0×000002B8 0×00000005 COMS@
0×000002BF 0×00000039 @%svzdlfahpxe.php?adv=adv510&code1=%s&code2=%s&id=%d&p=%s
0×00000300 0×0000000A %senrl.exe
0×0000030C 0×00000017 %skksahc.php?adv=adv510
0×00000324 0×0000000B %sdltfh.exe
0×00000330 0×00000016 %siickf.php?adv=adv510
0×00000348 0×0000000E %samycwrkf.exe
0×00000358 0×00000019 %sjjaiqxsq.php?adv=adv510
0×00000374 0×0000000E %shhyawghp.exe
0×00000384 0×00000019 %sjwrlgbvd.php?adv=adv510
0×000003A0 0×0000000C %sgwetlq.exe
0×000003B0 0×0000001B %swzdytaicxe.php?adv=adv510
0×000003CC 0×0000000C %smvjjsb.exe
0×000003DC 0×0000001B %sgkbjdlwqlt.php?adv=adv510
0×000003F8 0×00000008 %seetj.e
0×000010A8 0×00000006 > nul
0×000010B0 0×00000007 /c del
0×000010B8 0×00000007 COMSPEC
0×000010C0 0×00000038 %svzdlfahpxe.php?adv=adv510&code1=%s&code2=%s&id=%d&p=%s
0×00001100 0×0000000A %senrl.exe
0×0000110C 0×00000017 %skksahc.php?adv=adv510
0×00001129 0×00000006 fh.exe
0×00001130 0×00000016 %siickf.php?adv=adv510
0×00001148 0×0000000E %samycwrkf.exe
0×00001158 0×00000019 %sjjaiqxsq.php?adv=adv510
0×00001174 0×0000000E %shhyawghp.exe
0×00001184 0×00000019 %sjwrlgbvd.php?adv=adv510
0×000011A0 0×0000000C %sgwetlq.exe
0×000011B0 0×0000001B %swzdytaicxe.php?adv=adv510
0×000011CC 0×0000000C %smvjjsb.exe
0×000011DC 0×0000001B %sgkbjdlwqlt.php?adv=adv510
0×000011F8 0×0000000A %seetj.exe
0×00001204 0×00000016 %sgxbjd.php?adv=adv510
0×0000121C 0×0000000D %sggmohsv.exe
0×0000122C 0×0000001B %suiptnmgovj.php?adv=adv510
0×00001248 0×0000000A %sjuih.exe
0×00001254 0×00000017 %sggbrzx.php?adv=adv510
0×0000126C 0×0000000D %silwxubb.exe
0×0000127C 0×00000017 %sffmhcw.php?adv=adv510
0×00001294 0×0000000A %swfpk.exe
0×000012A0 0×00000019 %skksaupwr.php?adv=adv510
0×000012C4 0×00000018 %sptxfnhp.php?adv=adv510
0×000012E0 0×00000021 hxxp://bgroundplatt.com/yulgbvqk/
0×00001304 0×0000001C hxxp://agrofee.com/yulgbvqk/
0×00001328 0×00000005 ver54
0×00001F8F 0×00000012 nternetCloseHandle
0×00001FA5 0×0000000F nternetReadFile
0×00001FB9 0×0000000D ttpQueryInfoA
0×00001FCA 0×00000012 InternetSetOptionA
0×00001FE1 0×0000000F nternetOpenUrlA
0×00001FF5 0×0000000C nternetOpenA
0×00002002 0×0000000B WININET.dll
0×00002011 0×00000014 btainUserAgentString
0×00002026 0×0000000A urlmon.dll
0×00002035 0×0000000A xitProcess
0×00002042 0×00000011 SetThreadPriority
0×00002056 0×00000010 GetCurrentThread
0×0000206A 0×00000011 GetCurrentProcess
0×0000207E 0×00000010 SetPriorityClass
0×00002092 0×00000008 lstrcatA
0×0000209E 0×00000008 lstrcpyA
0×000020AA 0×00000017 GetEnvironmentVariableA
0×000020C4 0×00000011 GetShortPathNameA
0×000020D8 0×00000012 GetModuleFileNameA
0×000020EE 0×00000016 WaitForMultipleObjects
0×00002108 0×0000000D GetSystemTime
0×00002118 0×0000000B GetFileSize
0×00002127 0×0000000A reateFileA
0×00002134 0×0000000B CloseHandle
0×00002142 0×00000013 WaitForSingleObject
0×00002159 0×0000000B reateThread
0×00002168 0×00000016 GetSystemDefaultLangID
0×00002182 0×0000000C GetTempPathA
0×00002192 0×00000015 GetVolumeInformationA
0×000021AB 0×00000009 xitThread
0×000021B9 0×0000000D reateProcessA
0×000021CA 0×00000009 WriteFile
0×000021D4 0×0000000C KERNEL32.dll
0×000021E4 0×00000009 wsprintfA
0×000021EE 0×0000000A USER32.dll
0×000021FC 0×00000010 DirectDrawCreate
0×0000220E 0×00000009 DDRAW.dll
0×0000221B 0×0000000D HChangeNotify
0×0000222D 0×0000000E hellExecuteExA
0×0000223C 0×0000000B SHELL32.dll
0×00003B71 0×00000007 &y%ZgXJ
0×00008241 0×00000019 qvSHCreateShellFolderView
0×0000825B 0×0000000B SHELL32.dll
0×00008269 0×0000000B CloseHandle
0×00008277 0×0000000C LoadLibraryA
0×00008287 0×00000017 QueryPerformanceCounter
0×000082A0 0×0000000C qExitProcess
0×000082AF 0×0000000C VirtualAlloc
0×000082BD 0×0000000C KERNEL32.dll
0×00009558 0×0000001E VS_VERSION_INFO
0×000095B4 0×0000001C StringFileInfo
0×000095D8 0×00000010 040904B0
0×000095F0 0×00000016 CompanyName
0×0000961C 0×0000001E FileDescription
0×0000963E 0×0000001E Kernel Veryfier
0×00009664 0×00000016 FileVersion
0×0000967E 0×0000001A 2.4.4587.1000
0×000096A0 0×00000018 InternalName
0×000096CC 0×0000001C LegalCopyright
0×000096EA 0×00000010 eSXi (c)
0×00009704 0×00000020 OriginalFilename
0×00009726 0×00000010 KVFR.EXE
0×00009740 0×00000016 ProductName
0×0000975A 0×0000001E Kernel Veryfier
0×00009780 0×0000001C ProductVersion
0×0000979E 0×0000001A 2.4.4587.1000
0×000097C0 0×00000016 VarFileInfo
0×000097E0 0×00000016 Translation

One interesting thing to note is the PHP scripts won’t let you download the file if “ver54” isn’t appended to the end of the user agent, which is got by using the ObtainUserAgentStringA API.

This is a brief sandbox analysis of the executable.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

Created Files:
 
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\bookmarkbackups\bookmarks-2010-06-02.json
C:\Documents and Settings\Administrator\Local Settings\Temp\5d0a4d64.tmp
C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe
C:\WINDOWS\riap60.dll
C:\WINDOWS\system32\arrbofhrxumbzdpr.dll
C:\WINDOWS\system32\bbayi.exe
C:\WINDOWS\system32\kbayi.dll
C:\WINDOWS\system32\nywpppobpt.exe
C:\WINDOWS\system32\obayi.dll
C:\Documents and Settings\Administrator\Local Settings\Application Data\kbwcodnrj\pumdfehtssd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\jghrjtyu.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\juih.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mvjjsb.exe
C:\Program Files\$NtUninstallWTF1012$\elUninstall.exe
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\localstore.rdf
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\pluginreg.dat
 
Registry Startup Entries:
 
HKLM\software\microsoft\Windows\CurrentVersion\Run\iriuusum:
C:\Documents and Settings\Administrator\Local Settings\Application Data\kbwcodnrj\pumdfehtssd.exe
HKLM\software\microsoft\Windows\CurrentVersion\Run\MChk:
C:\WINDOWS\system32\bbayi.exe
HKLM\software\microsoft\Windows\CurrentVersion\Run\odjzobioswzpnm:
C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\arrbofhrxumbzdpr.dll"
HKLM\software\microsoft\Windows\CurrentVersion\Run\skb:
rundll32 "obayi.dll",,Run
HKLM\system\CurrentControlSet\Services\1519672323\ImagePath:
C:\WINDOWS\system32\drivers\1519672323.sys
HKCU\current\software\Microsoft\Windows\CurrentVersion\Run\Aruluya:
rundll32.exe "C:\WINDOWS\riap60.dll",Startup
HKCU\current\software\Microsoft\Windows\CurrentVersion\Run\iriuusum:
C:\Documents and Settings\Administrator\Local Settings\Application Data\kbwcodnrj\pumdfehtssd.exe
 
Registry Modifications:
 
HKLM\system\CurrentControlSet\Services\1519672323\Type = 01000000
HKCU\current\software\Microsoft\Internet Explorer\Toolbar\Locked = 01000000
HKCU\current\software\appdatalow\software\{97db103a-ec69-12c0-8972-4b581bd21e32}\aff_id = voguecash
 
Internet Connections: 
 
C:\Documents and Settings\Administrator\Desktop\your_exe.exe Connects to "195.2.252.153" on port 80 (TCP - HTTP).
C:\Documents and Settings\Administrator\Desktop\your_exe.exe Connects to "195.2.252.157" on port 80 (TCP - HTTP).
C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "72.55.140.184" on port 80 (TCP - HTTP).
C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "72.55.174.185" on port 80 (TCP - HTTP).
C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "77.245.58.4" on port 80 (TCP - HTTP).
C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\vocd610.exe Connects to "208.43.86.21" on port 80 (TCP - HTTP).
C:\Documents and Settings\Administrator\Local Settings\Temp\wfpk.exe Connects to "64.191.38.165" on port 80 (TCP - HTTP).
 
Modifed files in Network Shares:
 
\\127.0.0.1\admin$\system32\drivers\aec.sys
\\127.0.0.1\admin$\system32\drivers\asyncmac.sys
\\127.0.0.1\admin$\system32\drivers\Cdaudio.sys
\\127.0.0.1\admin$\system32\drivers\dmusic.sys
\\127.0.0.1\admin$\system32\drivers\drmkaud.sys
\\127.0.0.1\admin$\system32\drivers\imapi.sys
\\127.0.0.1\admin$\system32\drivers\ip6fw.sys
\\127.0.0.1\admin$\system32\drivers\ipfltdrv.sys
\\127.0.0.1\admin$\system32\drivers\ipinip.sys
\\127.0.0.1\admin$\system32\drivers\irenum.sys
\\127.0.0.1\admin$\system32\drivers\kmixer.sys
\\127.0.0.1\admin$\system32\drivers\Modem.sys
\\127.0.0.1\admin$\system32\drivers\mskssrv.sys
\\127.0.0.1\admin$\system32\drivers\mspclock.sys
\\127.0.0.1\admin$\system32\drivers\mspqm.sys
\\127.0.0.1\admin$\system32\drivers\nwlnkflt.sys
\\127.0.0.1\admin$\system32\drivers\nwlnkfwd.sys
\\127.0.0.1\admin$\system32\drivers\RDPWD.sys
\\127.0.0.1\admin$\system32\drivers\redbook.sys
\\127.0.0.1\admin$\system32\drivers\secdrv.sys
\\127.0.0.1\admin$\system32\drivers\Serial.sys
\\127.0.0.1\admin$\system32\drivers\Sfloppy.sys
\\127.0.0.1\admin$\system32\drivers\splitter.sys
\\127.0.0.1\admin$\system32\drivers\swmidi.sys
\\127.0.0.1\admin$\system32\drivers\TDPIPE.sys
\\127.0.0.1\admin$\system32\drivers\TDTCP.sys
\\127.0.0.1\admin$\system32\drivers\usbstor.sys
 
DNS Queries:
 
0002136011.249576ca.01 1EBF1D3D088D4E50AF2030A3A7E30896.n.empty.19.empty.5_1._t_i.ffffffff.your_exe_exe.154.rc2.a4h9uploading.com
aebankonline.com
agrofee.com
bgroundplatt.com
cnfg.kusochtak.com
cnfg.net-secured-app.com
sts.think-adz.com
vc0.voguecash.net
vc1.voguecash.net
www.deewoo.net

The executable is currently able to download anything up to 11 files, so after executing it you and your PC are in some serious danger.

To be continued…

Posted by on Tuesday, June 22nd, 2010 at 3:58 pm and filed under Malware Analysis, Security News with tags , , , , , . You can skip to the end and leave a response. Pinging is currently not allowed.

Random Posts

Previous Posts