Pay-Per-Install Analysis – Part One
What is Pay-Per-Install(PPI)?
Pay-Per-Install is a system where people get paid for installation of software, 9 times out of 10 without the knowledge of the end-user. The amount the affiliate gets paid depends which country the victim is in, countries like USA normally get the highest rates, while other less-known countries get little or nothing. Some companies have existed since 2004 and even today still carry on pumping out various malware types. Banking trojans, downloaders, spam-bots, backdoors, proxy-bots, rootkits, any “software” will do with these guys.
I managed to gain access to some of these companies, some of which aren’t publicly known, and invite only.
Earning4U
This is a company that has existed for a long time. Was previously called InstallsCash, and before that IframeDollars. IframeDollars was a known associate of the RBN.
Here you can see the stats panel of Earning4U, you can see the date, how many downloads they had, table of countries which they’ve installed in, how many unique installs they’ve got (unique installs are installs from a single IP/PC, multple installations on the same PC won’t count), and the amount of money these installs have earned them.
Another bad thing is that the loader is updated often to avoid Antivirus detections, it looks like they update the main EXE loader every 3 or 4 days.
This is how much Earning4U pays for 1000 unique installs per country(US dollars).
United States      180
United Kingdom   110
Netherlands   30
France   30
Poland   20
Italy   65
Germany   30
Spain   30
Australia   55
Greece   30
Other   20
Asia   8
This is a list of strings from the unpacked executable provided by Earning4U.
0×000001D0 0×00000005 .text
0×000001F7 0×00000006 `.data
0×00000220 0×00000008 .textbss
0×00000248 0×00000006 .rdata
0×0000026F 0×00000006 @.rsrc
0×00000297 0×00000007 @.debug
0×000002B0 0×00000007 /c del
0×000002B8 0×00000005 COMS@
0×000002BF 0×00000039 @%svzdlfahpxe.php?adv=adv510&code1=%s&code2=%s&id=%d&p=%s
0×00000300 0×0000000A %senrl.exe
0×0000030C 0×00000017 %skksahc.php?adv=adv510
0×00000324 0×0000000B %sdltfh.exe
0×00000330 0×00000016 %siickf.php?adv=adv510
0×00000348 0×0000000E %samycwrkf.exe
0×00000358 0×00000019 %sjjaiqxsq.php?adv=adv510
0×00000374 0×0000000E %shhyawghp.exe
0×00000384 0×00000019 %sjwrlgbvd.php?adv=adv510
0×000003A0 0×0000000C %sgwetlq.exe
0×000003B0 0×0000001B %swzdytaicxe.php?adv=adv510
0×000003CC 0×0000000C %smvjjsb.exe
0×000003DC 0×0000001B %sgkbjdlwqlt.php?adv=adv510
0×000003F8 0×00000008 %seetj.e
0×000010A8 0×00000006 > nul
0×000010B0 0×00000007 /c del
0×000010B8 0×00000007 COMSPEC
0×000010C0 0×00000038 %svzdlfahpxe.php?adv=adv510&code1=%s&code2=%s&id=%d&p=%s
0×00001100 0×0000000A %senrl.exe
0×0000110C 0×00000017 %skksahc.php?adv=adv510
0×00001129 0×00000006 fh.exe
0×00001130 0×00000016 %siickf.php?adv=adv510
0×00001148 0×0000000E %samycwrkf.exe
0×00001158 0×00000019 %sjjaiqxsq.php?adv=adv510
0×00001174 0×0000000E %shhyawghp.exe
0×00001184 0×00000019 %sjwrlgbvd.php?adv=adv510
0×000011A0 0×0000000C %sgwetlq.exe
0×000011B0 0×0000001B %swzdytaicxe.php?adv=adv510
0×000011CC 0×0000000C %smvjjsb.exe
0×000011DC 0×0000001B %sgkbjdlwqlt.php?adv=adv510
0×000011F8 0×0000000A %seetj.exe
0×00001204 0×00000016 %sgxbjd.php?adv=adv510
0×0000121C 0×0000000D %sggmohsv.exe
0×0000122C 0×0000001B %suiptnmgovj.php?adv=adv510
0×00001248 0×0000000A %sjuih.exe
0×00001254 0×00000017 %sggbrzx.php?adv=adv510
0×0000126C 0×0000000D %silwxubb.exe
0×0000127C 0×00000017 %sffmhcw.php?adv=adv510
0×00001294 0×0000000A %swfpk.exe
0×000012A0 0×00000019 %skksaupwr.php?adv=adv510
0×000012C4 0×00000018 %sptxfnhp.php?adv=adv510
0×000012E0 0×00000021 hxxp://bgroundplatt.com/yulgbvqk/
0×00001304 0×0000001C hxxp://agrofee.com/yulgbvqk/
0×00001328 0×00000005 ver54
0×00001F8F 0×00000012 nternetCloseHandle
0×00001FA5 0×0000000F nternetReadFile
0×00001FB9 0×0000000D ttpQueryInfoA
0×00001FCA 0×00000012 InternetSetOptionA
0×00001FE1 0×0000000F nternetOpenUrlA
0×00001FF5 0×0000000C nternetOpenA
0×00002002 0×0000000B WININET.dll
0×00002011 0×00000014 btainUserAgentString
0×00002026 0×0000000A urlmon.dll
0×00002035 0×0000000A xitProcess
0×00002042 0×00000011 SetThreadPriority
0×00002056 0×00000010 GetCurrentThread
0×0000206A 0×00000011 GetCurrentProcess
0×0000207E 0×00000010 SetPriorityClass
0×00002092 0×00000008 lstrcatA
0×0000209E 0×00000008 lstrcpyA
0×000020AA 0×00000017 GetEnvironmentVariableA
0×000020C4 0×00000011 GetShortPathNameA
0×000020D8 0×00000012 GetModuleFileNameA
0×000020EE 0×00000016 WaitForMultipleObjects
0×00002108 0×0000000D GetSystemTime
0×00002118 0×0000000B GetFileSize
0×00002127 0×0000000A reateFileA
0×00002134 0×0000000B CloseHandle
0×00002142 0×00000013 WaitForSingleObject
0×00002159 0×0000000B reateThread
0×00002168 0×00000016 GetSystemDefaultLangID
0×00002182 0×0000000C GetTempPathA
0×00002192 0×00000015 GetVolumeInformationA
0×000021AB 0×00000009 xitThread
0×000021B9 0×0000000D reateProcessA
0×000021CA 0×00000009 WriteFile
0×000021D4 0×0000000C KERNEL32.dll
0×000021E4 0×00000009 wsprintfA
0×000021EE 0×0000000A USER32.dll
0×000021FC 0×00000010 DirectDrawCreate
0×0000220E 0×00000009 DDRAW.dll
0×0000221B 0×0000000D HChangeNotify
0×0000222D 0×0000000E hellExecuteExA
0×0000223C 0×0000000B SHELL32.dll
0×00003B71 0×00000007 &y%ZgXJ
0×00008241 0×00000019 qvSHCreateShellFolderView
0×0000825B 0×0000000B SHELL32.dll
0×00008269 0×0000000B CloseHandle
0×00008277 0×0000000C LoadLibraryA
0×00008287 0×00000017 QueryPerformanceCounter
0×000082A0 0×0000000C qExitProcess
0×000082AF 0×0000000C VirtualAlloc
0×000082BD 0×0000000C KERNEL32.dll
0×00009558 0×0000001E VS_VERSION_INFO
0×000095B4 0×0000001C StringFileInfo
0×000095D8 0×00000010 040904B0
0×000095F0 0×00000016 CompanyName
0×0000961C 0×0000001E FileDescription
0×0000963E 0×0000001E Kernel Veryfier
0×00009664 0×00000016 FileVersion
0×0000967E 0×0000001A 2.4.4587.1000
0×000096A0 0×00000018 InternalName
0×000096CC 0×0000001C LegalCopyright
0×000096EA 0×00000010 eSXi (c)
0×00009704 0×00000020 OriginalFilename
0×00009726 0×00000010 KVFR.EXE
0×00009740 0×00000016 ProductName
0×0000975A 0×0000001E Kernel Veryfier
0×00009780 0×0000001C ProductVersion
0×0000979E 0×0000001A 2.4.4587.1000
0×000097C0 0×00000016 VarFileInfo
0×000097E0 0×00000016 Translation
One interesting thing to note is the PHP scripts won’t let you download the file if “ver54” isn’t appended to the end of the user agent, which is got by using the ObtainUserAgentStringA API.
This is a brief sandbox analysis of the executable.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 | Created Files: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\bookmarkbackups\bookmarks-2010-06-02.json C:\Documents and Settings\Administrator\Local Settings\Temp\5d0a4d64.tmp C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe C:\WINDOWS\riap60.dll C:\WINDOWS\system32\arrbofhrxumbzdpr.dll C:\WINDOWS\system32\bbayi.exe C:\WINDOWS\system32\kbayi.dll C:\WINDOWS\system32\nywpppobpt.exe C:\WINDOWS\system32\obayi.dll C:\Documents and Settings\Administrator\Local Settings\Application Data\kbwcodnrj\pumdfehtssd.exe C:\Documents and Settings\Administrator\Local Settings\Temp\jghrjtyu.exe C:\Documents and Settings\Administrator\Local Settings\Temp\juih.exe C:\Documents and Settings\Administrator\Local Settings\Temp\mvjjsb.exe C:\Program Files\$NtUninstallWTF1012$\elUninstall.exe C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\localstore.rdf C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\pluginreg.dat Registry Startup Entries: HKLM\software\microsoft\Windows\CurrentVersion\Run\iriuusum: C:\Documents and Settings\Administrator\Local Settings\Application Data\kbwcodnrj\pumdfehtssd.exe HKLM\software\microsoft\Windows\CurrentVersion\Run\MChk: C:\WINDOWS\system32\bbayi.exe HKLM\software\microsoft\Windows\CurrentVersion\Run\odjzobioswzpnm: C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\arrbofhrxumbzdpr.dll" HKLM\software\microsoft\Windows\CurrentVersion\Run\skb: rundll32 "obayi.dll",,Run HKLM\system\CurrentControlSet\Services\1519672323\ImagePath: C:\WINDOWS\system32\drivers\1519672323.sys HKCU\current\software\Microsoft\Windows\CurrentVersion\Run\Aruluya: rundll32.exe "C:\WINDOWS\riap60.dll",Startup HKCU\current\software\Microsoft\Windows\CurrentVersion\Run\iriuusum: C:\Documents and Settings\Administrator\Local Settings\Application Data\kbwcodnrj\pumdfehtssd.exe Registry Modifications: HKLM\system\CurrentControlSet\Services\1519672323\Type = 01000000 HKCU\current\software\Microsoft\Internet Explorer\Toolbar\Locked = 01000000 HKCU\current\software\appdatalow\software\{97db103a-ec69-12c0-8972-4b581bd21e32}\aff_id = voguecash Internet Connections: C:\Documents and Settings\Administrator\Desktop\your_exe.exe Connects to "195.2.252.153" on port 80 (TCP - HTTP). C:\Documents and Settings\Administrator\Desktop\your_exe.exe Connects to "195.2.252.157" on port 80 (TCP - HTTP). C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "72.55.140.184" on port 80 (TCP - HTTP). C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "72.55.174.185" on port 80 (TCP - HTTP). C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "77.245.58.4" on port 80 (TCP - HTTP). C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\vocd610.exe Connects to "208.43.86.21" on port 80 (TCP - HTTP). C:\Documents and Settings\Administrator\Local Settings\Temp\wfpk.exe Connects to "64.191.38.165" on port 80 (TCP - HTTP). Modifed files in Network Shares: \\127.0.0.1\admin$\system32\drivers\aec.sys \\127.0.0.1\admin$\system32\drivers\asyncmac.sys \\127.0.0.1\admin$\system32\drivers\Cdaudio.sys \\127.0.0.1\admin$\system32\drivers\dmusic.sys \\127.0.0.1\admin$\system32\drivers\drmkaud.sys \\127.0.0.1\admin$\system32\drivers\imapi.sys \\127.0.0.1\admin$\system32\drivers\ip6fw.sys \\127.0.0.1\admin$\system32\drivers\ipfltdrv.sys \\127.0.0.1\admin$\system32\drivers\ipinip.sys \\127.0.0.1\admin$\system32\drivers\irenum.sys \\127.0.0.1\admin$\system32\drivers\kmixer.sys \\127.0.0.1\admin$\system32\drivers\Modem.sys \\127.0.0.1\admin$\system32\drivers\mskssrv.sys \\127.0.0.1\admin$\system32\drivers\mspclock.sys \\127.0.0.1\admin$\system32\drivers\mspqm.sys \\127.0.0.1\admin$\system32\drivers\nwlnkflt.sys \\127.0.0.1\admin$\system32\drivers\nwlnkfwd.sys \\127.0.0.1\admin$\system32\drivers\RDPWD.sys \\127.0.0.1\admin$\system32\drivers\redbook.sys \\127.0.0.1\admin$\system32\drivers\secdrv.sys \\127.0.0.1\admin$\system32\drivers\Serial.sys \\127.0.0.1\admin$\system32\drivers\Sfloppy.sys \\127.0.0.1\admin$\system32\drivers\splitter.sys \\127.0.0.1\admin$\system32\drivers\swmidi.sys \\127.0.0.1\admin$\system32\drivers\TDPIPE.sys \\127.0.0.1\admin$\system32\drivers\TDTCP.sys \\127.0.0.1\admin$\system32\drivers\usbstor.sys DNS Queries: 0002136011.249576ca.01 1EBF1D3D088D4E50AF2030A3A7E30896.n.empty.19.empty.5_1._t_i.ffffffff.your_exe_exe.154.rc2.a4h9uploading.com aebankonline.com agrofee.com bgroundplatt.com cnfg.kusochtak.com cnfg.net-secured-app.com sts.think-adz.com vc0.voguecash.net vc1.voguecash.net www.deewoo.net |
The executable is currently able to download anything up to 11 files, so after executing it you and your PC are in some serious danger.
To be continued…
Leave a Reply