The Pay-Per-Install business model (PPI) has been around for a number of years. The PPI business exists to try to spread ads. Usually it works by having the “associate” sign up with a PPI business site. The associate will then have a file sent to them by the PPI provider. This file is usually some type of an adware program. That associate would then “bind” that adware program with a working program that they may host on their site. A binder is a program that can combine the adware program that the associate is sent with that of a known program. The result is that whoever downloads that program gets the adware installed on their computer. The client is paid per install of that adware that the PPI site sent them. 

This business has seen a change over the years. It has gone from having people download and install adware without knowing it to having them download and install spyware and possibly some type of virus. While some PPI sites are legitimate, the majority push Trojans and spyware to unsuspecting users. At end of the day, these PPI sites are creating an underground economy where the players are profiting from installing malware. This economy is broad enough that there is even a side business selling programs to make it harder for computer users to detect that they are installing something malicious. 

We will first look at www.pay-per-install.org. This site hosts a forum where people come together to talk about the PPI business and how to make money doing it. This site is used for a variety of reasons. The first thing is that the site has affiliate programs. These affiliate programs are set up so that people can get an idea of which PPI program is currently paying the best and paying reliably for installs. The site is used for people to talk about how to make money the fastest and how to advertise their links to get people to download their installs. The site also has a guide to get people started in the PPI business.

Kevin Stevens

Kevin Stevens is a Threat Intelligence Analyst with the SecureWorks Counter Threat Unit. He has four years of experience in the security field and almost 10 years of experience in IT. Kevin has worked for such companies as Data General, EMC, and CNN. His main areas of expertise include packet analysis, malware analysis, vulnerability research, and intelligence gathering.