Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Schneier Talk at Macalester College | Main | Does Secrecy Help Protect Personal Information? »

May 14, 2007

Do You Want to Infect Your PC?

"Is your PC virus-free? Get it infected here!"

An actual Google Adwords campaign.

EDITED TO ADD (5/19): Slashdot thread.

Posted on May 14, 2007 at 7:03 AM20 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Bruce,

I had to think twice then check before clicking on your link 8)

Posted by: Clive Robinson at May 14, 2007 7:18 AM

In the 1990s I posted an X11 pop-up on someone's screen at work (my smartest user in fact) with a red warning triangle saying "Self-destruct now? Yes/No".

He clicked Yes, but afterward could not explain why.

Posted by: as expected at May 14, 2007 7:34 AM

I wonder how many of the 409 clickers were running Linux, or clicked it on a test machine (rather than just assume that all of the clickers were "stupid Windows users"). Too bad traffic analysis can't track that well.

I think the biggest question for me coming out of this whole thing is, why didn't Google red-flag this ad as suspicious?

Posted by: Lisa at May 14, 2007 8:05 AM

This has been done before computers were even around: "Wet Paint"

Posted by: bob at May 14, 2007 8:07 AM

It's what I call a "DAS error" (Dumb *** Stupid). It is, always has been, and always will be a scourge on mankind. It wasn't created by computer technology, but technology has made DAS more useful and problematic.

Posted by: Jay74 at May 14, 2007 8:14 AM

@Lisa:
> I wonder how many of the 409 clickers were running Linux

RTFA. It's quite unlikely people looking at the site to see what kind of scam it is would bother to fake User-Agent before doing it, I'd say...

Posted by: anon1 at May 14, 2007 8:29 AM

Lisa: why didn't google red flag it? Simple, google's entire business model is automation: Do someting for you, take your money, without EVER involving a human.

This includes their advertizing sales.

Posted by: Nicholas Weaver at May 14, 2007 9:02 AM

This is the big red button effect. Do Not Press. How many men can pass by without wanting to press the button?

Posted by: merkelcellcancer at May 14, 2007 9:13 AM

My honeypots love viruses :)

Posted by: FooDooHackedYou at May 14, 2007 10:01 AM

Speaking of red buttons, I wonder how many people clicked this one?
http://totl.net/HonourSystem/

Posted by: Jo at May 14, 2007 10:06 AM

Dangit Jo! That is just MEAN, I looked at the source code of the page, and it honestly looks harmless, which makes me really wanna push it! --But I didn't, I'm not a malicious person, but maybe that is the point of the button, to find out who is, then block them from the site or something :) too tempting... Oh well. It won't be pushed by me, even if it is completely harmless.

Posted by: D. SKye at May 14, 2007 12:14 PM

The sad thing is that the "Redneck Virus" (AKA "Honor System Virus") actually worked in several ways:

1. It did indeed display viral behavior, getting itself emailed to many or all of most recipient's contacts list, thus clogging the eMail system, if nothing else. (It was a funny geek-joke, and I am guilty of propagating it when it originally appeared, too.)

2. Apparently, some people actually *did* erase their files (http://vmyths.com/hmul/4/2/)

3. Less than a year later the SULFNBK "Virus" came around (http://www.sarc.com/avcenter/venc/data/sulfnbk.exe.warning.html)
- basically a "working version" of the Redneck-Virus, and thousands of people manually hunted down and erased a Windows system-file from their drives, while assiduously passing on the "information" to all their contacts.

Posted by: X the Unknown at May 14, 2007 12:47 PM

@D Skye:

The totl site doesn't work for me anymore. Did you actually push the button?

Posted by: DontClickHere at May 14, 2007 12:51 PM

I didn't push the button, but I did paste in the address that pushing the button takes you to:
http://totl.net/HonourSystem/?doit=2

Does a pretty good job of imitating an erased site. I didn't check how the original site gets masked off, thereafter, but I'm guessing a Session-Cookie gets set by the second site, and the server simply doesn't display the original site anymore.

A new browser-session on a new Virtual Machine finds the original site just fine. Rather nice, all-in-all.

Thanks, Jo!

Posted by: X the Unknown at May 14, 2007 2:21 PM

@X:

Yeah, it's a cookie. If you search your cookie jar, you'll find a couple of cookies from totl....

Posted by: DontClickHere at May 14, 2007 3:04 PM

Recently I had a friend ask me if he knew of a quick way to get an e-mail address ON TO spammers' lists.

He wanted to do load testing on a test machine in a temporary domain before putting the system into production. Of course since no one used the domain it got no traffic. :)

Posted by: David Magda at May 14, 2007 3:50 PM

Look at link.
Look at Linux PC.
Figure 'This'll be interesting'.
Click link.

Posted by: Anonymous at May 14, 2007 5:53 PM

I don�t think this would be a very viable method of disseminating malware:

1) Malicious people generally don�t like paying for things. There are cheaper/free ways of accomplishing the same thing.

2) Using Adwords would make it incredibly easy to trace the malware back to the source. You�d have to be incredibly stupid to actually do this (unless you used stolen credit cards etc)

3) If your site actually contained something malicious, how long do you think Google would tolerate it? I�d bet that after the first complaint they would remove your account.

Posted by: Tom at May 14, 2007 6:21 PM

> Look at link.
> Look at Linux PC.
> Figure 'This'll be interesting'.
> Click link.

Actually, that would be:
Look at link.
Look at Linux PC.
Figure 'This'll be interesting'.
Change User Agent string
Click link.

Posted by: Didier Stevens at May 15, 2007 1:35 AM

@David Magda, Craigslist.

Post there and you'll get a few spams, respond to postings and you'll get more. Do both and your traffic will reward you...

Posted by: guvn'r at May 16, 2007 2:33 PM

Subscribe to comments on this entry

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2012 J F
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier
Syndication
Full Text Feed
Excerpts Feed

Follow on Twitter
Subscribe via Kindle

Translations
German
Italian

more translations

Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more