Threat Research & Response Blog
In the previous post, we gave an introduction to how file partnership programs work and how they make money off unsuspecting users by charging them for installing software that is actually free. In this post, we'll walk you through a sample of these "paid archives". The following "paid archive" simulates the appearance of the Adobe Flash Player 10 installer. Let's look deeper into this sample and try to figure out what the typical scenario is. We detect this sample as Program:MSIL/Pameseg.G (with SHA1 1929bab927a6e2f6df164dfbf819ce04dd29ad90). It is created by means of the Packer software distributed by the ZipArchive.com file partnership.
Figure 1: The program looks exactly like the legitimate Adobe installer
At this point, the program pretends it's doing something, although the user may notice that there's no CPU load while it is unpacking. The program tries to make the user believe that the true Adobe player is being installed. The next installation step is, unexpectedly to the user, the activation dialogue (see Figure 2). This screen looks like a part of the original Adobe installation process, although the legit Adobe installer never asks a user for activation. At no point in the installation of the "paid archive" is the user ever asked to buy the "paid archive". Instead, the program asks for activation while keeping the look and feel of the real Adobe installer. This is purely a social engineering tactic designed to trick users and keep the monetary aspect of it below the radar.
Figure 2: "Paid archive" activation dialogue
After finishing the unpack simulation, but before unpacking the actual data, the Packer connects to a command server with the query shown as in Figure 3:
Figure 3: Query to the command server
The server assigns a session key and returns with the country list available for billing (see Figure 4); that is, where the premium SMS service is supported:
Figure 4: Country list – Russia, Ukraine, Kazakhstan, Belorussia, Slovenia, Uzbekistan, India, Brazil...
The dialog in Figure 2 prompts the user to select the country in which he or she is located. When a country is selected, the server replies with the parameters as in Figure 5: the SMS-aggregator short number (which is country-specific) and a service code.
Figure 5: HTTP dump for the country selection dialogue
It then prompts the user to send an SMS to this number, which is a premium number, and thus causes the user to be charged a premium amount, as we discussed in the previous post. If the user sends the SMS, an "activation code" is sent in reply. As shown in Figure 6, this number has to be entered in the activation password field and then sent to the command server. Figure 7 then shows how the entered activation password is verified by the server.
Figure 6: Activation code input area
Figure 7: HTTP dump for activation code verification dialogue
The server checks if the activation number entered is valid. If an error occurs, the server replies with a "FAIL" status; otherwise it transmits "OK" and optionally sends the unlock password for the embedded archive. The next step is that the Packer performs decompression of the embedded archive and optionally transfers control to its content.
In the end, the user may manage to install a free-to-download program at the cost of an SMS sent at a higher cost than normal. This is more or less the standard scenario for such "paid archives".
The websites that distribute "paid archives" are usually profitable businesses. Most of them are located in Russia and former Soviet territories, although they accept payments in many countries. Different affiliate programs offer attractive deals for partners (high "convert rate"), anti-abuse hosting, and rewards for invited Adverts.
Some partnerships directly claim that they perform "cleaning" or "archives auto-update" on a regular basis. This means they offer a service for Adverts who experience a low "convert rate" because their "paid archives" have been detected by antivirus programs. This feature is what these partnerships have in common with pure viral- and exploit-based partnerships, which use a Pay-per-Install affiliate model.