IT security professional Didier Stevens has been conducting an experiment into computer user stupidity by running a Google Adwords campaign which offers to infect your PC for free. The advert actually read:

Drive-By Download
Is your PC virus-free?
Get it infected here!

Which should be enough to stop all but the terminally dumb from clicking upon it, yet hundreds of people did just that during the six months of this remarkable experiment into sadly predictable user behavior. The user agent string which identifies the site visitor to the server, and includes browser application information, shows that an amazing 98 percent of those stupid folk were running Windows. Now OK, I know that Windows is the dominant OS, and OK I know that there are more newbies running Windows as well, but even so that is something of an eye-opener is it not? Are Linux and Mac users just more wary, more educated in security issues or less gullible?

Whatever, the one thing that the experiment proves beyond nay reasonable doubt is that there are idiots out there who are so click happy that even the direct threat of infection is not enough to prevent them from doing so. No wonder, then, that the botnet problem remains so great, that spam continues to grow in volume, that Microsoft can get away with selling an entire OS on the basis of it being more secure than the last one which we never really got around to patching up properly.

What Didier Stevens did was simple, he purchased the drive-by-download.info domain and published a web page that just contained the text ‘thank you for your visit’ and nothing else. Linking this to a Google Adword campaign proved both easy and affordable, with a click-through rate of 0.16% it cost him $23 over that six month period. Hardly a fortune considering he could have infected hundreds of computers and set up a rentable botnet as a result. Stevens is quick to point out here that “no PCs were harmed in this experiment” which executed no drive-by download scripts and installed no malware. You can see a video of the advert in action, posted by Stevens on YouTube.

Just as worrying as the 409 people who clicked upon the advert, is the fact that Google was more than happy to run it despite it being deliberately designed to be as suspicious as possible. Although Google did eventually pull the campaign, after six months and when Stevens published his results, it allowed it to run unchallenged for all that time.

This is made all the more embarrassing for Google as the revelations come at much the same time it has published a report, "The Ghost In The Browser: Analysis of Web-based Malware" (PDF), written by Google researchers which warns of the dangers of drive-by downloads. "Even a single visit to an infected website enables the attacker to detect vulnerabilities in the user’s applications and force the download a multitude of malware binaries" the report states. It found that of 4.5 million URLs that were analyzed in depth, 450,000 were launching successful drive-by malware downloads...

318 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Infarction 503

Small wonder there's so many problems with malware spreading these days...

Dani 1,954

I think it was clicked on more for the curiosity factor than people who were just too click happy for their own good.

happygeek 2,411

Possibly, although my experience suggests that you really shouldn't underestimate the capacity for stupidity when it comes to the clicking of anything online, even an advert for a nice free infection.

scru 909

....I wanna work for Norton....or McAfee....

happygeek 2,411

...I wanna own Norton...or McAfee... ;)

jwenting 1,649

Given that almost 98% of workstations used by the (young and) uninformed are running Windows it's no surprise that that's the majority of respondents...

It's the same target audience as any other malware author. "I love you" mass emails, "Britney Spears naked" mass emails, they all target exactly the same users and with similar success.

Of course the vast majority of well informed and well educated people also run Windows.

And oh, the only reason a larger percentage of stupid people don't run Macs is the price, with availability also being a factor.
Those are generally people who are extremely sensitive to status and marketing, and Macs are "kewl", but their high price and generally poor availability through mass market channels make them less easy to get for that same audience.

"I think it was clicked on more for the curiosity factor than people who were just too click happy for their own good. "

I'd love to have your confidence in people. But experience with end users has led me to believe otherwise.
There is no bound to the stupidity of the average person, especially when it looks like (s)he can get something cheap (or even better, for free).
Hordes will loose all sense when they see the words "free" or "discount" and purchase whatever it is no matter the actual price or whether it's something they could even theoretically use.
One prime example was a large sign outside a store I saw some 15 years ago. I loudly proclaimed that handbags were discounted from 29.95 to 39.95.
I asked the shopkeeper about that, and he responded that business had never been so good before he put up that sign. People (mainly women) were blinded by the sign's statement of a discount, didn't even read the actual before and after price, and bought the things like mad.

Noticed the same thing a few years later when I got a brochure for a new investment/savings account from a (until then) unheard of company.
It looked suspicious so I did the math about their claims, turned out I was right and the total payment into the account was higher than the promised amount you'd get after 5 years (never mind compound interest and dividends).
Yet they signed up thousands of people in just a few weeks, based solely on the large numbers and wild claims in that brochure.

Or what about the student who wanted to show how easy it is to get people to sign petitions about supposed dangers of chemicals.
He went around campus asking for signatures on a petition to ban the dangerous substance of di-hydrogen monoxide.
He got thousands of signatures from not just fellow students but professors and staff as well, including chemists and physicists.
Of course the substance they signed up to get banned is water...

So no, I'm not surprised that people fall for things like that, not at all.