Putting Out a HIT: Crowdsourcing Malware Installs

By Chris Kanich, Stephen Checkoway, and Keaton Mowery.

In Proceedings of WOOT 2011. USENIX, August, 2011.


Today, several actors within the Internet’s burgeoning underground economy specialize in providing services to like-minded criminals. At the same time, gray and white markets exist for services on the Internet providing reasonably similar products. In this paper we explore a hypothetical arbitrage between these two markets by purchasing “Human Intelligence” on Amazon’s Mechanical Turk service, determining the vulnerability of and cost to compromise the computers being used by the humans to provide this service, and estimating the underground value of the computers which are vulnerable to exploitation. We show that it is economically feasible for an attacker to purchase access to high value hosts via Mechanical Turk, compromise the subset with unpatched, vulnerable browser plugins, and sell access to these hosts via Pay-Per-Install programs for a tidy profit. We also present supplementary statistics gathered regarding Mechanical Turk workers’ browser security, antivirus usage, and willingness to run arbitrary programs in exchange for a small monetary reward.



  author =       {Chris Kanich and Stephen Checkoway and Keaton Mowery},
  title =        {Putting Out a {HIT}: Crowdsourcing Malware Installs},
  booktitle =    {Proceedings of WOOT 2011},
  editor =       {David Brumley and Michal Zalewski},
  organization = {USENIX},
  year =         2011,
  month =        aug,
  url =          {https://checkoway.net/papers/mturkppi2011},