Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Hundreds Click on Click Here to Get Infected Ad



 By: Lisa Vaas
2007-05-18
Article Rating:starstarstarstarstar / 2


There are 1 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Updated: The fact that 409 people clicked on an ad that offers infection for those with virus-free PCs proves that people will click on just about anything.

People will click on anything.

That was evidenced by the 409 people who clicked on an ad that offers infection for those with virus-free PCs. The ad, run by a person who identifies himself as security professional Didier Stevens, reads like this:

Drive-By Download
Is your PC virus-free?
Get it infected here!
drive-by-download.info

Stevens, who says he works for Contraste Europe, a branch of the IT consultancy The Contraste Group, has been running his Google Adwords campaign for six months now and has received 409 hits. Stevens has done similar research in the past, such as finding out how easy it is to land on a drive-by download site when doing a Google search.

In a posting about the drive-by download campaign, Stevens says that he got the idea after picking up a small book on Google Adwords at the library and finding out how easy and cheap it is to set up an ad.

Resource Library:
"You can start with a couple of euros per month," he said. "And that gave me an idea: this can be used with malicious [intent]. Its a way to get a drive-by download site on the first page of a search."

First, Stevens bought the drive-by-download.info domain. .info domains are notorious for hosting malware, he points out. Then he set up a server to display the innocuous message "Thank you for your visit" and to log the requests.

No PCs were harmed in this experiment, he emphasizes. The site is benign and has never hosted malware or other scripts or code. Then he started the Google Adwords campaign, using combinations of the words "drive-by download" along with the ad, which links to the drive-by-download.info site.

Next, he sat and waited … for six months.

Over that period, his ad was viewed 259,723 times and clicked on 409 times, for a click-through rate of about .16 percent. The experiment cost him $23, or 6 cents per click/potentially infected machine.

Of the 409 people who clicked, 98 percent were running Windows machines, according to the user agent string, which is a text string that identifies a Web site visitor to a server. The agent string typically includes application name, version, host operating system and language.

This is the breakdown for the browsers that were used in those 409 clicks:

IE 5.5 1
IE 6.0 286
IE 7.0 48
Safari (419.3) 1
Opera 9.01 1
Opera 9.10 1
Firefox 1.0 7
Firefox 1.5.0.7 9
Firefox 1.5.0.8 2
Firefox 1.5.0.9 3
Firefox 2.0 3
Firefox 2.0.0.1 6
Firefox 2.0.0.2 1
Firefox 2.0.0.3 21
SeaMonkey 1.1 2
AdsBot-Google 24

Total 416

Stevens found a discrepancy of seven hits recorded by his logs but not reported by Google. He believes those seven click-throughs might have come from bots that Google filtered out. Bots often include a URL and/or e-mail address in their user agent string so that a Webmaster can contact the botnet operator.

Click here to read about Googles perspective on Web-based exploits.

Stevens says that he designed his ad to make it look fishy, but he had no problem getting Google to accept it and has had no complaints to date. And, although a healthy amount of people clicked on it, he said theres "no way to know what motivated them to click on my ad. I did not submit them to an IQ-test."

The reason for running the experiment and publishing his results now is that this technique of putting up ads for what turns out to be drive-by downloads is being used in the wild. For example, the popular geek hardware store Tomshardware.com discovered a Trojan, hosted out of Argentina, lurking on one of its banner ads earlier in May.

Stevens has posted a video of Google showing his ad here on YouTube.

Stevens said hes sure he could get much more traffic if he invested more in his Google Adwords budget and came up with a better designed ad.

Editors Note: This story was updated to correct the stated percentage of drive-by-domain.info views that resulted in clicks and the country hosting malware on tomshardware.coms banner ad. We regret the errors.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Hundreds Click on Click Here to Get Infected Ad
>>> Post your comment now!
64
54645
Posted At: 01-26-09
By: u6
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


xr80VӮc*d[.kʶ<<ձ $)CRtsb_bq3 -R]}]DD"3H$?y$3W7-gB]snS;sa@ Z.%w>; ͂(+o1mnf], _hvGlJ~x'AT1vR-)&ӰY |+[3}Bq~qbw[ .hqLIlG5tuK͂%H}xu)t}(DIږy@6GǮJ;ߣ*#7 ݙx8/DeOXIYɼMcAy<5A[h =k|Ekw0Ni?쓑7@Sա*"U{Q5h"f3r=F&lw&"S#&-Ahlu"YRi 3܉\;@ڮSVHf̲ݷt{#Է@:SqS 3MuI/#!_TBRp`åzS+kz?Ķh{' ]U~Bomz^u7ߝ;>iz(ji˜HJ&ԃ)}(p}=\'t, .EӝÌfؖqSth(́V* (ZPʍxxg9{ؖ3p*s_gJU4Ei/B(֝h m+V0ݣ^w2 ϝwuq gr,ȯwD_j0QEVKY-D'Y_5}(ĭ~o[FIS 40"ÌJ3~̢J9ŠsuywȠstzx |g9̠jPEf+2hZu\_?_s\w/{}rһ"ǝݣNY; i f׵V:'^=:$lrK,.iTWZxqhC!u{D ,_dxpLu:8?# | ,-˝)Tt</Rzhf5 t @CX&%m"C N9AsEjୱJ+Ҕ& 9B:A`ܺm49,8蟩$m4@r5XSl؅ ROFo4'M XZEU>hi"A[T}OW%ތ1E|r+E !\JZ!}!0!p,z4pOಶyx!Bwެ-Ujմީ/~ӲKwI|eO~S35ލhX.B2i%!g8W5MGVm$cW*P\?(ËJCU~^p-Aqj2B c=M:vX< 0 D>/;3jZYs;Ni$|NI8h&ƋCriZnL-rӇt#Lڠ~N;ݧn]=&tno/*AbG& ahh5 ZLH#AтMkIO7 ̀-s'08wɭ5 "Q HX^0 vjiqHpyE]uCbBXȁf`so뷺e#97(uKw2J}g>(O)))?]HPw9DJ B!B0H`P쎄J9mW*lJe 3wJRF;7 +=*%nqR%e 932YIf=?j1!UG ,D`v9J,L.[ ϴ6je[J"4T(/9 O+FEQ S#U^?)pXL9}:79MG3wD` [I37?`b#c[l~pe l4TfFfOhp }5lwnC9Z{[N/=\214fכ ngd50+gYA3'|$@]<>+WUPÃ"`"+42[=!= \P(Tw^EY䞅Ꞧ_5YXX`nRd8ug6i 3Xh8G/C4jCr4$֒fۏRu-zց$l *=Ұ.Z)![r5}a׼6F]RYRKHDlHfc/Υò=CMD27u!{j-j&O[?&TYiO;LYV2GzESځ5r X;7l ʸnJY Yr>:u>\ȃ`w!]C}qϟ  sFWyYFYa0OykR^K?NAYj8+ 8c*(Siɡ;S!΁Eo꽿g2ms1ה  `3|xKߙ[WaeSƘ=H`#+0\ +RU(p5K2)N<:`r]TՑn OQGA.C{MtAkY, ܠYCaiϖ҆Z/Vu1#i}[U!Ӕ1Ze ɲ7)Ь6V#ie.N3)a;/&6}j;_&*|)2SG)Z|bZ.3zXz+)uz`E5&QrEE 7uGM4:H$!I(uO(KeGIu|f*kZQR^?*r;.i1Y+(#t+Yǽi m.D<9[% 17ʨTIQ+Gs;"Jgԋbq{q>'F{4lGj+jBgYb `0O?[&iYyڴiD@kXJ7eFV5XI0iuI+KZ =2aӣ>U~UL&rfSS]8`rOn͏;W9!0JGRiemR~ܑN[ } ($j^ç,z,t2jU5dPeHb.x|V n&] y>1a ~w]fr~8)zŻRvipU^wO*V%?\>]K? F&;fB,&8oH ӸWsQ=-#銿z=;  Fk;r zyCB|};]Sz{ёX'Kփ 7Y>BVç48ryQ$ Q2c(A-6ܹN'S4sJd":Q%;?m-~=Prv## :T~:1mF]nց39X)Nxsyؠ#%tBM[4D]{gE Sz7ngm,b20t[h_?I+bqO n<4 t3VTsb;i6$BUU+jۻA\EVe.tїN|*<9qgȤ@7YU (f~\;pOҠ%cc}d}ݸw[f1viÉfwoJPY.=]awQ[]xÞ6wYiEU.J\-"PnGZY|:K%0)7۴ rUCauk§u,'i_JWc#ZT=9bԔMML;ƔqK޷Q+x1IJEJyƜigczKmC/FD+jS=$RϣKf |)"H) ] x1r,0omZ5UIT &:#uF@?%e*V)J'/ 讏Rn:gx}Wޚi 䪄q'(h.(,G*1A_R:i[VNlI)`P,mgLtl85/d 0n_OD'#$" 血7f^4 LčLSRe(Gmm1bh8yKPt0Q?!>]%a Pph"e:OD)oKs37Ժ@:zQ_; ׬ aL=j+y}a8eRSf=΢~P F:xWU@si= A3~ ڰZ[$:w`; ];_JΛX mwk{׻-l c{%?^yw^=rU]X37=mO[")ل_w#]/Wsm`~:M~P!tjyf5" Nmdy6.ZxM_ o&` ljVXVEqf{ [{V̽K敲cR;`@ۀM~rmAɼ#Ь%5̐X|+j%M"q0M?'+⌉faeO%s_e5I5pD~DS`Iv|wouv1 ASpn]|@Qٛ^/m#prjܒ|`2\۶뿓$}lcYŽX,hILÑ@uœ3TQ.jc"8 ‹I;S9cgS`܀f*ZWIYWCVPh?= fTn#n$XG}K:iL҇O~o'/ :âIY0Xl. pìfo_`\7nBm/L=/wk`OsPwƒwbOaR-,:'w v2y(^Bx8n g1g=vIndw'w|ϛ0ʍbDsʉmO-ix/QM3Tt䏅B/X`x{$e _Mu,vaDم0ȡ-?TWg*׶/N|_E9aa0m+`)ScWF%3z J 0~AX^qT1&IBs6Gcu\_QS[Z-į[#d! `,%o,"%xaoquQ%Ϥw_FpxIg(bb3, Y^Kc.-ZMi%RZYE]ɖ1xy[/Mz'5aLO8P;IU6'a|Q{@*VH5i`fpW4?b\y z G>)fF<@&Lokz^CΰJ[7]s5S]<_q=%o7ݛCgnVuR#[wnVƞܐSlmQNa]b,l7o"ntJoYl!Lv~6ӿ4,\ =BπTaUw}jh ܻTմJd i`_TρVR*jZ?";МaORkueAj+;Y!kjݔ<ҡN+qܑuf)lB+N'& ):2]БܟޔjmO*oIgO.4~xl@ "6 ?Ki:2gMr+o\ixc# k3dwl1Ghb#NHB0\'u=#Yg0\*}p稯-d=w:}GLWC7>z(4b>ʓŘcL@NA`(\`CL].]Q.k&"h`>zS?w|1[GB(W9$#qz\+ aHE>p4.pgj9UtKd|L+2&Bs8or~tN8%"&LmahB\ߊ6"))Ĵc1C x 1/d}m a$xW RǠ{q^21Fiŷ~$lC;b21cbHgOh $1XJDqY@y#LL݂zĂB|~N­!R"t3a/xt53N]<7Yef xpƧx}ͻ)5lDM< 2BkQ.閣fMQpV#ߛ~Sg8Xں9P6#&TwnM}yyH\u:tսt{sֻSP ܢֳ[s;rԻrҽ\^u/։L_3}eRo4E9š6u&\ «q_sxgYxiD_04e><J*Q^& ƕ^mӄ-xec>}|||j%6#g5^LW#GuƜb6A{I7 5N>Mo )ns9EЊLjV}Q}xS? _A6pj;彜rcq'ʏ֗}NrOPi}i:/Zrg97Bc? Y_~rl:syNy|y}ρ>993s::s/=IR<9k_T0RhK "S^9,.NrPϪ [~22RϜW~y$ kw^WKͮ0TntKL쵆cn-:vņ^_rpմ] &J2o-cENikz(#s<2g!h{dZ+mFDgc@D1KAF0_GzʉnS' e.o opfy@ @9z\pm`no,0 4OW=M]\ڎwڝGf{ueePkvdmoCdx^$ٝzÀ}G]xZ@&n\ef(/@FA@acvDF>,k/gM>w>]u_oҹh /:35K쓭?M}f`ͼTV)pFF,RK|c ,{Oa4D=SHN7nޣ97?LXJҡn &)xT-kZYoZԪw俓+$2 G0q]HMjJ]NlժJRL3BAyG l]{̾ZCO3CX)ḃ̺n[ % P }:fl*Yۼx`TS Nd@7 ,v;Ũ@<΃s,tq) {{[2gډe:ɧ`٤I8K'-}by[Lr,mނzxM&V=ȁF=C[%GEEib+3b7f^:&23Mť{6oo\| "e*sMRq!f[ Nؒ1fQSRۨWY)"9cc>m=]wrl#kBu;2u!_/BlKz=c,g~.y@>;os9L]&lʗ>[l,=%4Id`.ۀ`7'Sr_˧%IAf:2Ş_ =6K9V\Rs7ס)e4dF,< bsފjd!׶zK2jSo:h}vsܪ.QG4 (OP"#q}$!3F8RƠF@/:Z-5,l$==ASh<ϛW5; gC“Jn{[o-s\D)R%:v*:Oe[BI<<>,D*9"[Io %Q%6>mZP= v"8%Yz'{io=G}c_VeńK!:F1d\*IxrHIhC>~EE3`A0^|eD$u'sl#اTét1C@_D2gR*4%NSЊxs*xEy?ĵ36 Maz:SAW ]r1қ1 ]c *|?OGe Lwt4?n90kn>q$Lx Cr:vY 96%O-  `ꎈM6e֜DR*,Dl'f , ~sf_;Q -91"uz ?[<-v;# +_2sE>v/-J~S.!O3й?-Rw/e[͌:ܾ,{ QFbv]shՆG0ޏq7PR|@xS a {m;p3z2 9Qm`-ඨN \70(|[|oy-¶"yX]@cb,LڙFα ya1 +o=ȉe6]g0^l,eLWYX&7$V /OىBׅѰ0 L;,lyED%e2JAmfK#fE [Rj2 19,f@xI1%h3l䓈mAb ?åk[),#{`y/|gr09dv?,qgMn3a-d