IT security professional Didier Stevens has been conducting an experiment into computer user stupidity by running a Google Adwords campaign which offers to infect your PC for free. The advert actually read:
Is your PC virus-free?
Get it infected here!
Which should be enough to stop all but the terminally dumb from clicking upon it, yet hundreds of people did just that during the six months of this remarkable experiment into sadly predictable user behavior. The user agent string which identifies the site visitor to the server, and includes browser application information, shows that an amazing 98 percent of those stupid folk were running Windows. Now OK, I know that Windows is the dominant OS, and OK I know that there are more newbies running Windows as well, but even so that is something of an eye-opener is it not? Are Linux and Mac users just more wary, more educated in security issues or less gullible?
Whatever, the one thing that the experiment proves beyond nay reasonable doubt is that there are idiots out there who are so click happy that even the direct threat of infection is not enough to prevent them from doing so. No wonder, then, that the botnet problem remains so great, that spam continues to grow in volume, that Microsoft can get away with selling an entire OS on the basis of it being more secure than the last one which we never really got around to patching up properly.
What Didier Stevens did was simple, he purchased the drive-by-download.info domain and published a web page that just contained the text ‘thank you for your visit’ and nothing else. Linking this to a Google Adword campaign proved both easy and affordable, with a click-through rate of 0.16% it cost him $23 over that six month period. Hardly a fortune considering he could have infected hundreds of computers and set up a rentable botnet as a result. Stevens is quick to point out here that “no PCs were harmed in this experiment” which executed no drive-by download scripts and installed no malware. You can see a video of the advert in action, posted by Stevens on YouTube.
Just as worrying as the 409 people who clicked upon the advert, is the fact that Google was more than happy to run it despite it being deliberately designed to be as suspicious as possible. Although Google did eventually pull the campaign, after six months and when Stevens published his results, it allowed it to run unchallenged for all that time.
This is made all the more embarrassing for Google as the revelations come at much the same time it has published a report, "The Ghost In The Browser: Analysis of Web-based Malware" (PDF), written by Google researchers which warns of the dangers of drive-by downloads. "Even a single visit to an infected website enables the attacker to detect vulnerabilities in the user’s applications and force the download a multitude of malware binaries" the report states. It found that of 4.5 million URLs that were analyzed in depth, 450,000 were launching successful drive-by malware downloads...