Didier Stevens

Saturday 12 July 2008

Infectee or Infector?

Filed under: Malware — Didier Stevens @ 10:32

My first and second little poll lead up to this post.

I’ve been quite surprised that the most downloaded file from my site is SafeBoot.zip. Since I published it more than a year ago, there have been 20,000+ downloads. And I’m also under the impression that the number of downloads per day is steadily increasing. One would be tempted to conclude from this that the number of malware infections that disable Safe Mode is on the rise, but this is indirect evidence.

First of all, I believe the increase is due to search engines. As more and more sites link to the Safeboot blogpost, the page will rise in the ranking of search results. One can argue that visiting the Safeboot blogpost and downloading the SafeBoot.zip file are two different things: you can land on the page just out of curiosity, but if you download the registry fix file, then you’re surely infected with a Safe Mode disabling virus.

Well, not necessarily. From my interactions with people using my registry fix, I’ve observed that some of them apply this fix even if their Safe Mode keys are intact. They just have another PC problem (for example the CD drive doesn’t work anymore), and they hope that my fix will fix this too.

So I’m not sure that Safe Mode disabling malware is on the rise, but I do know that it’s becoming more sophisticated. As the first virus I analyzed would only delete the Safe Mode keys once, now there are viruses that delete the Safe Mode keys and monitor them, deleting them again if they are restored.

Ironically, another large group of people that visit my site are not in search of a solution to a malware infection, but are looking for malware! Here are some of the most popular search terms that lead to my blog:

  • download virus
  • virus download
  • download a virus
  • how to get a virus
  • get a virus
  • give me a virus

The reason that search engines direct users to my site when they search for a virus, is an unfortunate side-effect of my Google Adwords post. This is my most popular blogpost by far, and has been linked to by countless sites. Although I have offer no malware to download, this Adwords blogpost contains the words of the search terms and is highly referred to, so it ranks high in search engine results.

So if you’re landing on my blog via a search engine, it’s very likely you’re an infectee or an infector. 😉

Blog at WordPress.com.