Didier Stevens

Monday 7 May 2007

“Is your PC virus-free? Get it infected here!”

Filed under: Malware — Didier Stevens @ 6:12

Would you click on this Google ad?


No? Sure? Because 409 persons did!

How do I know? Because I’ve been running this Google Adwords campaign for 6 months now.

Last fall, my attention got caught by a small book on Google Adwords at our local library. Turns out it’s very easy to setup an ad and manage the budget. You can start with a couple of euros per month. And that gave me an idea: this can be used with malicious intend. It’s a way to get a drive-by download site on the first page of a search result (FYI, I’ve reported on other ways to achieve this). So I started an experiment…

  1. I bought the drive-by-download.info domain. .info domains are notorious for malware hosting.
  2. I setup a web server to display a simple page saying “Thank you for your visit!” and to log each request. That’s all. I want to be absolutely clear about this: no malware or other scripts/code were ever hosted on this server. No PCs were harmed in this experiment.
  3. I started a Google Adwords campaign with several combinations of the words “drive by download” and the aforementioned ad, linking to drive-by-download.info
  4. I was patient for 6 months

During this period, my ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%. My Google Adwords campaign cost me only €17 ($23). That’s €0.04 ($0.06) per click or per potentially compromised machine. 98% of the machines ran Windows (according to the User Agent string).

In a previous post on spamdexing , I reported 6,988 click-throughs to malicious websites over a 3 month period. That’s 2,329 click-throughs per month, compared to my 68 click-throughs per month. The Spamdexing “R” Us operation was much more successful than my little experiment, but at a greater cost (they ran a bunch of dedicated web servers). I’m sure I could get much more traffic with a higher Google Adwords budget and a better designed ad.

This is how my ad looks on a search result page:


I designed my ad to make it suspect, but even then it was accepted by Google without problem and I got no complaints to date. And many users clicked on it. Now you may think that they were all stupid Windows users, but there is no way to know what motivated them to click on my ad. I did not submit them to an IQ-test 😉

Recently there have been several stories in the press pointing out that this technique is used “in the wild”. That’s why I’m publishing my results now, but my experiment is still running. Of course, the nature of the experiment has changed now that I have revealed it, but it could still turn out to be interesting.

You can find a video of Google showing my ad here hosted on YouTube, and you can find a hires version (XviD) here. Not the best quality, but I wanted to show off my new Nokia N800.

I want to thank all participants of my experiment.

Blog at WordPress.com.