Malware authors have grown very attached to the idea of subverting legitimate business models for illegal purposes.

In  "TDL3: The Rootkit of All Evil?," my Russian colleagues Aleksandr Matrosov and Eugene Rodionov described how the DogmaMillions cybercrime group distributed the third version of the TDSS (a.k.a., TLD, Olmarik, or Alureon) rootkit using a PPI (pay per install) scheme. The DogmaMillions group seems to have been somewhat uncomfortable with the copious attention it received last year, and shut down in the fall. Major affiliates to DogmaMillions could earn a cool $100,000 daily, so it is no surprise that TLD4, the generation of TDSS, quickly found similar distribution channels.

GangstaBucks appeared at the end of 2010 and was widely advertised in various forums in Russia and elsewhere, offering very similar terms and features to DogmaMillions.

An affiliate is able to download the current version of the trojan downloader and to receive statistics relating to detection by anti-virus software. This is to discourage the partner from submitting the current version to services,  such as VirusTotal, that forward malicious samples to security companies. When the downloader is known to be widely detected, the partner receives a newly repacked sample, so the release/detect cycle begins again.

So what happens when the downloader is run? It sends information on the compromised system to a command and control server and requests a secondary downloader, which is responsible for downloading the core malware, in this case the TDL4 bootkit. Downloaders and links have a lifespan measured in hours so as to minimize the risk of detection by malware installation tracking systems.

The distribution system (and much more) is described more fully in their latest paper: The Evolution of TDL: Conquering x64. You might also find an their article for Virus Bulletin on “Rooting About in TDSS” of interest.