Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Dynamic application-layer protocol analysis for network intrusion detection
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
An inquiry into the nature and causes of the wealth of internet miscreants
Proceedings of the 14th ACM conference on Computer and communications security
Context-aware clustering of DNS query traffic
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
SS'08 Proceedings of the 17th conference on Security symposium
Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Spamcraft: an inside look at spam campaign orchestration
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Insights from the inside: a view of botnet management from infiltration
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Behavioral clustering of HTTP-based malware and signature generation using malicious network traces
NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
PolyPack: an automated online packing service for optimal antivirus evasion
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
What's clicking what? techniques and innovations of today's clickbots
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
Putting out a HIT: crowdsourcing malware installs
WOOT'11 Proceedings of the 5th USENIX conference on Offensive technologies
A survey of mobile malware in the wild
Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
GQ: practical containment for measuring modern malware systems
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Cross-Analysis of botnet victims: new insights and implications
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Tracking DDoS attacks: insights into the business of disrupting the web
LEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats
Adapting social spam infrastructure for political censorship
LEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats
PharmaLeaks: understanding the business of online pharmaceutical affiliate programs
Security'12 Proceedings of the 21st USENIX conference on Security symposium
B@bel: leveraging email delivery for spam mitigation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Impact of spam exposure on user engagement
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Learning from early attempts to measure information security performance
CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
Frankenstein: stitching malware from benign binaries
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Vanity, cracks and malware: insights into the anti-copy protection ecosystem
Proceedings of the 2012 ACM conference on Computer and communications security
Manufacturing compromise: the emergence of exploit-as-a-service
Proceedings of the 2012 ACM conference on Computer and communications security
Large-Scale analysis of malware downloaders
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
On the feasibility of online malware detection with performance counters
Proceedings of the 40th Annual International Symposium on Computer Architecture
Measurement and analysis of child pornography trafficking on P2P networks
Proceedings of the 22nd international conference on World Wide Web
Spatio-temporal mining of software adoption & penetration
Proceedings of the 2013 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining
Survey and taxonomy of botnet research through life-cycle
ACM Computing Surveys (CSUR)
ViceROI: catching click-spam in search ad networks
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A close look on n-grams in intrusion detection: anomaly detection vs. classification
Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Driving in the cloud: an analysis of drive-by download operations and abuse reporting
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Binary program statistical features hiding through huffman obfuscated coding
ICIC'13 Proceedings of the 9th international conference on Intelligent Computing Theories
Trafficking fraudulent accounts: the role of the underground market in Twitter spam and abuse
SEC'13 Proceedings of the 22nd USENIX conference on Security
ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates
SEC'13 Proceedings of the 22nd USENIX conference on Security
Stranger danger: exploring the ecosystem of ad-based URL shortening services
Proceedings of the 23rd international conference on World wide web
| Hi-index | 0.00 |
Recent years have seen extensive diversification of the "underground economy" associated with malware and the subversion of Internet-connected systems. This trend towards specialization has compelling forces driving it: miscreants readily apprehend that tackling the entire value-chain from malware creation to monetization in the presence of ever-evolving countermeasures poses a daunting task requiring highly developed skills and resources. As a result, entrepreneurial-minded miscreants have formed pay-per-install (PPI) services--specialized organizations that focus on the infection of victims' systems. In this work we perform a measurement study of the PPI market by infiltrating four PPI services. We develop infrastructure that enables us to interact with PPI services and gather and classify the resulting malware executables distributed by the services. Using our infrastructure, we harvested over a million client executables using vantage points spread across 15 countries. We find that of the world's top 20 most prevalent families of malware, 12 employ PPI services to buy infections. In addition we analyze the targeting of specific countries by PPI clients, the repacking of executables to evade detection, and the duration of malware distribution.