A Foolproof Way to Infect Your PC with Malware

Bruce Schneier points us to a story from a person who decided to see how many people would click on a Google Adwords link that was designed to infect the user’s computer with malware.

The author explains:

Last fall, my attention got caught by a small book on Google Adwords at our local library. Turns out it’s very easy to setup an ad and manage the budget. You can start with a couple of euros per month. And that gave me an idea: this can be used with malicious intend. It’s a way to get a drive-by download site on the first page of a search result (FYI, I’ve reported on other ways to achieve this). So I started an experiment…

  1. I bought the drive-by-download.info domain. .info domains are notorious for malware hosting.
  2. I setup a web server to display a simple page saying “Thank you for your visit!” and to log each request. That’s all. I want to be absolutely clear about this: no malware or other scripts/code were ever hosted on this server. No PCs were harmed in this experiment.
  3. I started a Google Adwords campaign with several combinations of the words “drive by download” and the aforementioned ad, linking to drive-by-download.info
  4. I was patient for 6 months

The ad that he placed appears to the right.Infect Your PC

One would think that no one would click on an ad that actually advertised that by so doing, you would infect your machine. It turns out, however, that there are some people who will. The author explains:

During this period, my ad was displayed 259,723 times and clicked on 409 times.

Although 409 out of 259,723 is a low click through rate. On the other hand, I have to wonder why anyone (let alone 409 anyones) would click on an ad that advertised that it would infect your computer.
Just you would not leave your car with a person wearing a sign that said “Give me your car keys: I want to steal your car,” don’t go to a website that says “Bring me your computer, I want to infect it.”

Obviously, you cannot avoid all attempts by people to attempt to harm you, whether in real life or on the internet. However, you should exercise caution. Just as you know the parts of town you want to exercise caution when driving through in the middle of the night, know the types of websites that you want to exercise caution when clicking on an internet link.