RSA Admin

Detecting the Russian Install Monster Bundler

Blog Post created by RSA Admin Employee on Jan 24, 2014

More and more malware focuses on Referral Abuse than ever before.  If you haven't seen our previous article on massive referral abuse, you can check it out here at RSA's Speaking of Security Blog. The reason referral malware is gaining in popularity is because it is a low-risk, high reward method of using a botnet to generate easy cash.  Instead of breaking international laws using a botnet to harvest credit card information, botnets are now being used to install software, click ads, and even host files, each of which pays up to several dollars per infected host by companies offering referral or partnership cash-per-install incentives.  Of course, in most cases, if not all, the companies offering referral cash have little or no idea that malware authors are automating the installation of this software and the siphoning of this referral cash.


Below is a screenshot (translated from Russian) of one such Russian referral program.  They offer 1,250 Rubles, which is about 37 US Dollars for every 1000 downloads from their site.  If you could get a botnet to automate the installation of software under a referral ID, this would be an easy way to generate some quick cash.



Install Monster will actually host popular files on behalf of software authors, and it does this by hosting certain DNS names.  If someone wants a particular file, they have to go through Install Monster to get it.  This is what this traffic looks like in our Massive Malware Database for the past 24 hours:



There were over 1000 unique samples of malware that produced this traffic.  And if each session represents a single file download, this translates into almost 200 dollars of referral cash.


One sample infector can be viewed here at VirusTotal.  You can see from the description that Dr.Web refers to this malware as the InstallMonster.47 Potentially Unwanted Program.  Here is another writeup of the same variant over at McAfee


Here is a sample session:



There is a post to /api/index (with no extension) and the information exchange looks to be encrypted.  As it turns out, this specific activity is enough to accurately identify the Install Monster software on your network.


You could create a rule and call it InstallMonster Detected.  Alert it to your Alerts field, or Risk.Suspicious The contents would be:

directory='/api/' && filename=index


As referral malware gains in popularity, I expect to see blended threats coupling Zbot, Zeus, Citadel or others with Referral cash siphoning.  This MonsterInstall was delivered via the Symmi flavor of adware.  Next time it could be delivered by a more nefarious threat.  Use this easy rule to detect referral abuse, but be on the look out for deeper compromises on affected systems.


Good Luck and Happy Hunting!