According to you, what’s the single most-downloaded file from my site http://DidierStevens.com? It’s neither welcome.html nor robots.txt.
Post your guess as a comment.
Tuesday 8 July 2008
20 Comments »
RSS feed for comments on this post. TrackBack URI
Didier Stevens 
favicon.ico
Comment by blabla — Tuesday 8 July 2008 @ 21:15
That’s a very good guess, but it’s not favicon.
Comment by Didier Stevens — Tuesday 8 July 2008 @ 21:35
index.html?
secret-hacking-projects.txt?
Comment by Marcin — Tuesday 8 July 2008 @ 21:51
The XML file for you RSS Feed.
Comment by Brooks Garrett — Tuesday 8 July 2008 @ 21:51
@Marcin: Nope.
Comment by Didier Stevens — Tuesday 8 July 2008 @ 21:55
@Brooks Garrett: my blog is actually hosted by WordPress.com, that’s why I restricted the poll to the domain DidierStevens.com
Comment by Didier Stevens — Tuesday 8 July 2008 @ 21:58
rss+xml file at /feed/ ?
Comment by aramosf — Tuesday 8 July 2008 @ 22:04
No, the poll is for domain DidierStevens.com, not the sub-domain blog.DidierStevens.com.
Comment by Didier Stevens — Tuesday 8 July 2008 @ 22:12
EICARgen.zip
Comment by Kris Quinby — Tuesday 8 July 2008 @ 22:29
No
Comment by Didier Stevens — Tuesday 8 July 2008 @ 22:39
didierstevens-32.jpg
Comment by Cater Soke — Wednesday 9 July 2008 @ 1:15
If you can trust Google (and I’m assuming the period covered is since you started the blog), it would be http://www.didierstevens.com/files/data/SafeBoot.zip
Of course, in my opinion, it should be UserAssist or possibly https://didierstevens.files.wordpress.com/2006/11/20040613-001.jpg
:-))
Comment by Matthew — Wednesday 9 July 2008 @ 2:05
urchin.js
Comment by PJ — Wednesday 9 July 2008 @ 2:30
@Cater Soke: LOL, but that’s not it.
Comment by Didier Stevens — Wednesday 9 July 2008 @ 6:37
@Matthew: well done! It’s SafeBoot.zip.
Can you post a comment explaining how you found out? Thanks
Comment by Didier Stevens — Wednesday 9 July 2008 @ 6:39
@PJ: not urchin
Comment by Didier Stevens — Wednesday 9 July 2008 @ 6:40
Too bad it’s not secret-hacking-projects.txt …
Comment by Joes — Wednesday 9 July 2008 @ 9:48
It was really an educated guess. Googling for your bare domain (at least at the time) returned a post on restoring safe mode that pointed to the file as the second result (first was your home page).
It’s fashionable to deride Google’s search intelligence, but their ranking algorithm, which favors resources with a higher number of links pointing to them, works most of the time.
This got me thinking about popularity, specifically the relative number of people on the net who have been the victim of a particular class of malware vs the number who would find your site researching malware analysis, reverse engineering or forensics.
I felt more comfortable with this view after reading your responses to earlier guesses and querying Google for the common file package formats (ie zip) you use with results limited to your domain.
So, no real magic here.
Comment by matthew — Wednesday 9 July 2008 @ 11:44
[…] A Second Little Poll Filed under: Poll — Didier Stevens @ 6:51 The answer to the question I asked yesterday is: SafeBoot.zip. Excellent deduction work Matthew. […]
Pingback by A Second Little Poll « Didier Stevens — Thursday 10 July 2008 @ 6:52
[…] or Infector? Filed under: Malware — Didier Stevens @ 10:32 My first and second little poll lead up to this […]
Pingback by Infectee or Infector? « Didier Stevens — Saturday 12 July 2008 @ 10:34