Botnet farmers play the international exchange game

Spyware authors are prepared to pay botnet farmers or webmasters much more for infecting PCs in the UK or Australia than machines in continental Europe.

Selling "installs" is a common practice in the cyber-underworld, the most notable example being in 2005 when Jeanson Ancheta was arrested for building a 400,000-strong botnet and installing adware from 180 solutions for a fee of $60,000. Cybercriminals have since moved on to installing spyware onto compromised machines.

Zombie machines infected with Trojan horse malware can be used to relay spam or launch denial of service attacks. Compromised machines can be also be pointed to websites from which additional items of malware can be downloaded. The practice is normally used to update Trojan code, but it also creates a means for cybercrooks to make a "nice little earner".

The income that can be earned grows with the numbers of installs, and varies based on the geographical location of an installation. For example, installing spyware on 1,000 machines in Australia earns $100 but only $50 in the US, and a measly $3 in Asia. A sample price list obtained by net security services firm sheds fresh light on the phenomenon.

MeesageLabs culled its figures from a malware distribution site in Russia, the existence of which we've verified. The site is loaded with malware and for that reason we'll refer to it by a shortened version of its name, installscash.org.

The site boasts that it already works with 300 webmasters and has four years of experience to fall back on. It boasts of friendly support services and prompt payment. All in all it's all very cybercrime 2.0.

The site boasts: "Anybody can work with our partnership program InstallsCash! You have to do only one thing! Put a short one line iframe code on ur page(s) and START MAKING MONEY!"

"You won't lose your unique visitors with us! You can also have your own exe," it adds.

Following these instructions by the addition of a simple line of code boobytraps web pages with code that attempts to install spyware onto the PCs of visiting surfers. Infected sites might be hosted on a hacked site, a site hosted on a web server or even a botnet-hosted web page.

Instructions could then be issued to the offending botnet computers to visit the page, download the code and execute it. Once the spyware is installed, it would register with the "seller" and the "affiliate" would then be paid.

While MessageLabs has not yet identified what the downloaded spyware does, it is updated every three days to evade detection. Installscash.org states: "Our program (size: 3 Kb) is loaded to the user and it changes the homepage and installs toolbar and dialer. It’s activated and revealed in 15-30 minutes after download."

MessageLabs notes the similarity between installscash.org and a recently defunct site, iframedollars.biz, which was also hosted in Russia. ®