Wednesday, January 30, 2008

Pay-Per-Install A Malware Retail Business


Organize cyber-criminals introduces a new retail business Pay-Per-Install. This business primarily entice webmaster to join the gang and promises to pay 350$ for every 1000 install.

Like any other business, there's always a competition. Another pay-per-install retailer claims to be the best partner.



The deal behind this is you have to register or sign up for an account. Then, they will reply with your login credentials and link to your installer. The email content will look like this.

Hey John,

Thank you for registering TheInstalls Affiliate program.
We doing the best to help You make more money with us.
You can start right away, everything ready!

Below your login details and URL for EXE:
URL to login: http://theinstalls.com
Login: john
Password: w5yJY6fSgp
EXE (exe generation will take about 30-40 mins): http://theinstalls.com/files/loaders/john.exe

Remember we offer payments on request for webmasters making more then 10000 installs per day. No shave, no hold, no bullshits, just a lot of MONEY :)

Have a nice day, Dear Partner!
-- TheInstalls team

**Please note that names and password were modified to prevent accidental installation of the malware.**

After logging-in to your account, they will introduce an affiliates bundling promo tools that will help maximize your profit.


This business is a "one stop shop" of malwares that includes backdoor, trojan, spyware and worm. You just need to install this tool and they will serve everything for you including sites, content and all other affiliated binaries. Scary!

So now, the webmaster's websites serving this pest will just need to logged-in to his account to check and monitor the count of installs and earnings.


Counting malware infection is now a $$ business!

These binaries are not yet detected by most Security softwares. VirusTotal returned 20% detection out of 32 scanners and searching keyword "pay-per-install" in google will give you 20,000 results. There must be a serious business out there.

As of the moment, this business carries binaries that works only in Windows platform. But remember, it is possible that this pest will also include binary for Mac just like Zlob codec crosses over and produced Trojan DNSChanger.