The Latest in IT Security

Easy Money: Program:Win32/Pameseg (part one)

14
Nov
2011

Nowadays many people believe in the opportunity to achieve great wealth without much effort, not leaving the house, not interrupting their favorite computer games, forums, social networking and so on. This type of opportunity is widely marketed by companies providing paid digital content services. You may have seen online advertising banners such as:

Make a million bucks without picking your backside off the chair! Vasya Pupkin earned 2000 a day practically doing nothing and it’s not the end, you can do more! Earnings over the Internet – what could be easier?!

In most cases, the offers are based on participation in different multi-level marketing and affiliate program schemes as an Advert. Affiliate program schemes are usually controlled by entities that own different paid services, such as online dating, adult services, paid archives, and so on. Let’s look deeper into paid archives as they seem to be the most profitable while remaining legitimate and virtually immune against the law. This is the first blog post in a series that discusses the affiliate program scheme.

Affiliate program schemes are composed of two entities: an affiliate program partner called an Advert, and the service owner who recruits the Advert. The Advert is the person who does all the dirty work, relieving the service owner from any legal responsibility. Adverts install specially designed software (at the prompting of the service owner) called Packer on their computers. With this software, Adverts can create “paid archives” of arbitrary content (although the content has to follow the affiliate program rules). Note that in all cases, the service owners are not responsible for what content is created by the Adverts. The owner only provides the Packer, hosting services, landing pages containing descriptions and download links, and finally oversees the financial side of things: billing and distribution of funds received from users.

Relationship between Advert and service owner

Figure 1: The relationship between an Advert and the service owner

In case the Advert is not interested in creating their own content, the Packer program provides certain templates. These include standard dialogs, images, icons, and so on. These templates may even look very similar to well-known software installers. What the Advert needs to do is just choose a template, specify the location of files that should be included in the installation, and hooray! The paid archive is ready. The Packer program deflates source files into a password-protected 7Zip archive (the password is created and stored on a network server), then it embeds the archive into the output file so that user who choose to install this file will be asked for a password/unlock code. All the samples we have seen use 7Zip as an archiver as it is open source.

Templates to create paid archive

Figure 2: Templates to create “paid archives” – the Flash Player bundled into the archive (1929bab927a6e2f6df164dfbf819ce04dd29ad90) is detected as Program:MSIL/Pameseg.G

So far, this sounds pretty straightforward – an entity recruits people to create content for them.

But this is where it gets tricky: usually, the service owners suggest the Adverts to create archives of content that is either distributed free of charge or not protected by copyright. Let’s take Skype as an example. Here’s a “paid archive” with an embedded Russian-language Skype installer.

Skype installation when bundled with a paid archive

Figure 3: Skype installation when bundled into a “paid archive” – the archive (0d31ff577cb45d765f2fae3df51f8b1a4ba95dcf) is detected as Program:MSIL/Pameseg.G

This “paid archive” copies the appearance of the installer for Skype, although it is not digitally signed. At some point in the installation process the program will ask the user to send an SMS to a premium (unbeknownst to the user) number, thus incurring charges for the user. In other instances, the program asks the user to send his or her mobile phone number to “receive an SMS free of charge”. In fact, when the user enters his number, he receives an SMS asking for his age or any other piece of information, supposedly as “confirmation”.

At this point, again, the user is charged for sending SMS messages to a premium number. The charge is usually between 5 and 20 USD (after currency conversion), depending on the “price category” defined by the author of the archive. Then the user receives an SMS message in reply, which contains the password for the archive and thus can continue installation of what is otherwise a free program.

Now we are faced with the direct fraud scheme that tricks users into basically paying for a service when they don’t need to. They could simply go to the official program website and download the installer straight from there, instead of paying money for a so-called “file sharing service” (as it’s called in the EULA). So the money they just paid via the premium SMS goes not to the legitimate owners or copyright holders of the program, but instead goes to the service owners and the Adverts, both of whom have no right to profit from the program. We detect these paid archives as potentially unwanted software – Program:Win32/Pameseg and Program:MSIL/Pameseg.

Coming up in part 2 of this series: an example of how the “paid archive” scheme works.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments