Clive Robinson May 14, 2007 7:18 AM


I had to think twice then check before clicking on your link 8)

as expected May 14, 2007 7:34 AM

In the 1990s I posted an X11 pop-up on someone’s screen at work (my smartest user in fact) with a red warning triangle saying “Self-destruct now? Yes/No”.

He clicked Yes, but afterward could not explain why.

Lisa May 14, 2007 8:05 AM

I wonder how many of the 409 clickers were running Linux, or clicked it on a test machine (rather than just assume that all of the clickers were “stupid Windows users”). Too bad traffic analysis can’t track that well.

I think the biggest question for me coming out of this whole thing is, why didn’t Google red-flag this ad as suspicious?

Jay74 May 14, 2007 8:14 AM

It’s what I call a “DAS error” (Dumb *** Stupid). It is, always has been, and always will be a scourge on mankind. It wasn’t created by computer technology, but technology has made DAS more useful and problematic.

anon1 May 14, 2007 8:29 AM


I wonder how many of the 409 clickers were running Linux

RTFA. It’s quite unlikely people looking at the site to see what kind of scam it is would bother to fake User-Agent before doing it, I’d say…

Nicholas Weaver May 14, 2007 9:02 AM

Lisa: why didn’t google red flag it? Simple, google’s entire business model is automation: Do someting for you, take your money, without EVER involving a human.

This includes their advertizing sales.

merkelcellcancer May 14, 2007 9:13 AM

This is the big red button effect. Do Not Press. How many men can pass by without wanting to press the button?

D. SKye May 14, 2007 12:14 PM

Dangit Jo! That is just MEAN, I looked at the source code of the page, and it honestly looks harmless, which makes me really wanna push it! –But I didn’t, I’m not a malicious person, but maybe that is the point of the button, to find out who is, then block them from the site or something 🙂 too tempting… Oh well. It won’t be pushed by me, even if it is completely harmless.

X the Unknown May 14, 2007 12:47 PM

The sad thing is that the “Redneck Virus” (AKA “Honor System Virus”) actually worked in several ways:

  1. It did indeed display viral behavior, getting itself emailed to many or all of most recipient’s contacts list, thus clogging the eMail system, if nothing else. (It was a funny geek-joke, and I am guilty of propagating it when it originally appeared, too.)
  2. Apparently, some people actually did erase their files (

  3. Less than a year later the SULFNBK “Virus” came around (

    • basically a “working version” of the Redneck-Virus, and thousands of people manually hunted down and erased a Windows system-file from their drives, while assiduously passing on the “information” to all their contacts.

X the Unknown May 14, 2007 2:21 PM

I didn’t push the button, but I did paste in the address that pushing the button takes you to:

Does a pretty good job of imitating an erased site. I didn’t check how the original site gets masked off, thereafter, but I’m guessing a Session-Cookie gets set by the second site, and the server simply doesn’t display the original site anymore.

A new browser-session on a new Virtual Machine finds the original site just fine. Rather nice, all-in-all.

Thanks, Jo!

DontClickHere May 14, 2007 3:04 PM


Yeah, it’s a cookie. If you search your cookie jar, you’ll find a couple of cookies from totl….

David Magda May 14, 2007 3:50 PM

Recently I had a friend ask me if he knew of a quick way to get an e-mail address ON TO spammers’ lists.

He wanted to do load testing on a test machine in a temporary domain before putting the system into production. Of course since no one used the domain it got no traffic. 🙂

Anonymous May 14, 2007 5:53 PM

Look at link.
Look at Linux PC.
Figure ‘This’ll be interesting’.
Click link.

Tom May 14, 2007 6:21 PM

I don?t think this would be a very viable method of disseminating malware:

1) Malicious people generally don?t like paying for things. There are cheaper/free ways of accomplishing the same thing.

2) Using Adwords would make it incredibly easy to trace the malware back to the source. You?d have to be incredibly stupid to actually do this (unless you used stolen credit cards etc)

3) If your site actually contained something malicious, how long do you think Google would tolerate it? I?d bet that after the first complaint they would remove your account.

Didier Stevens May 15, 2007 1:35 AM

Look at link.
Look at Linux PC.
Figure ‘This’ll be interesting’.
Click link.

Actually, that would be:
Look at link.
Look at Linux PC.
Figure ‘This’ll be interesting’.
Change User Agent string
Click link.

guvn'r May 16, 2007 2:33 PM

@David Magda, Craigslist.

Post there and you’ll get a few spams, respond to postings and you’ll get more. Do both and your traffic will reward you…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.