Get Your Money for Nothing and Your Clicks For Free: Software Referral Programs Spur Crimeware-as-a-Service

When it comes to malware, most people think of nasty viruses that steal personal credit card information, or lock up your system until you pay a ransom to the malware author.  And while those types of malware are still in the wild, an increasingly common breed of malware is custom-designed to target corporations that pay cash to affiliate referrers for each installation of the target’s software. This type of customized malware is written specifically to install software on a victim PC under a referrer’s identity, make the infected machine click on ads that pay pennies per click, and direct it to purchase “likes” on social media.  In fact, the RSA FirstWatch team wrote about this previously in our Zbot and the Instagram Army post here.  Now there is a rise in this type of malware, often garnering significant paydays for their authors. To understand referral services and how they earn money, let’s take a look at a few of the most common ads and referral codes used on the web today – Google’s AdSense and Amazon’s Referral Program. (Note: we point to Amazon and Google purely as examples, not because RSA FirstWatch has evidence that either web company is subject to referral program abuse written about in this blog.) Google AdSense works by embedding a java script on websites with a hard-coded AdSense ID.  In Figure 1, here is the embedded AdString from a popular check-in site for malware to determine an infected host’s local IP address:

Figure 1: Embedded AdString used in software referrer programs

This unique identifier tracks page visits, and if someone clicks on the ad, the account holder will receive pennies or dimes depending on the ad.  RSA FirstWatch researchers have seen malware, including a sample described below, that has automated clicks to specific ad user IDs. One of the most ubiquitous referral programs is’s affiliate program.  Website operators can receive 10 to 15% of any product sold on Amazon’s Online Storefront if a shopper goes to Amazon by clicking on an embedded ad on an affiliate website.  Similar to Google, Amazon’s program uses a model that embeds a unique referral ID to track clicks made from affiliate websites. The programs have been shown to be extremely lucrative. America’s top-ranked podcast, for example, finances itself by using Amazon referral cash. RSA FirstWatch researchers have observed similar referral IDs for software installations- such as music streaming players, security software, toolbar installations, etc- in the malware sample described below.  This implies that someone – either the malware author himself, or one of his crimware-as-a-service clients, is earning cash each time the malware automates the installation of software that pays referral bonuses on a victim PC. One way for malware authors to know which affiliate programs pay the most is to visit one of many all-in-one web sites that list businesses, their affiliated products, and their promotional payouts.  In fact, most malware we see today that engages in affiliate abuse, targets multiple referral programs which offer a steady stream of income to malware authors or their clients who purchase clicks and installs via crimeware. How One Malware Sample Seeks to Exploit Pay-per-Click Referrer Programs The malware sample in this VirusTotal report is one such example targeting an all-in-one affiliate program meta site. As you can see this Trojan is about 1 MB in size.  However, while this installer Trojan is small in size, it causes a cloudburst of activity on a network just moments after installation, spewing 33 MB of network traffic that includes forged advertising clicks, installations of software such as online media players, a third party Flash player, a Windows DVD ripper, and a Spanish language-based fax software. Using RSA Security Analytics, the RSA FirstWatch team was able to capture the complete MetaBurst of 269 Internet hosts that a single malware-infected PC visited in the first four minutes of infection.  A fair number of the domains visited by this infected PC are owned by web sites that participate in affiliate and cash payout promotions. Examples include:

  • A streaming video player
  • An all-in-one flash video player that performs user ad tracking
  • Media software that pays per install and runs video advertising
  • Several notorious browser hijackers
  • Several video sharing “prize sites”
  • An alternate search engine and ad tracker
  • A personal background checking site that pays referrals
  • A pay-per-click ad agency
  • Survey sites that pay cash to participate in market research
  • Streaming media advertising companies.
  • Online wallet app sites.  Some affiliate programs allow pay-per-click cash to be deposited directly into online accounts such as Google Wallet.

Perhaps the most unusual abuse in this malware’s behavior is that it engages in prize rigging on the new Social Media Video sharing site called  On Vube, non-celebrity people compete for big cash prizes for having the most popular music video, as determined by the number of “likes” it receives from website visitors.  In the malware we observed (Figure 2), one Vube user received several automated “likes” and her video was already listed as a $900 winner. There were other Vube likes for different users generated as well (Figure 3), however, those videos were not tagged as prize winners.

Figure 2: Automated “Likes” used to stack the deck?
Figure 3: Prizewinner may have received automated “Likes”

This of course does not mean that this Vube User was the malware author – but she, or someone on her behalf, may have purchased automated Vube likes from an online service like this one here that sells 50 Vube Likes for 10 dollars. Those likes are automated by crimeware-as-a-service Trojans such as the one described in this post. RSA FirstWatch contacted the security team at who were grateful for the intel and were taking seriously ways in which it can eliminate this kind of abuse. While it doesn’t pose a risk to Vube’s users, the malware attempts to game the system in an effort to create an unfair advantage. Finally, it is important to note that this malware does not check in to any Command and Control  (C&C) Server, and it does not download any secondary malware infectors outside of the browser hijacking installer.  However, it does harvest a payout from over a dozen companies that offer affiliates cash for referrers and clicks.  All of those referral nickels and dimes can add up to real dollars per infected host for the malware author and his crimeware-as-a-service clients.  If you multiply these installations to near-botnet proportions, it’s easy to see that crimeware-as-a-service can be quite lucrative. For companies that operate an affiliate program, care should be taken to monitor the referral program to protect it from abuse.  Even this particular malware sample in Figure 4 shows that some affiliate programs have taken steps to block automated attacks:

Figure 4: Screenshot of website errors encountered by automated malware

As this particular sample becomes less and less effective and gains a higher detection rate by AV vendors, the malware author will likely modify his crimeware, include new referral abuse targets, and alter the code enough to avoid AV detection. What do you think of this type of malware?  Have you observed anything like this in the wild?

No Comments