Didier Stevens

Saturday 12 July 2008

Infectee or Infector?

Filed under: Malware — Didier Stevens @ 10:32

My first and second little poll lead up to this post.

I’ve been quite surprised that the most downloaded file from my site is SafeBoot.zip. Since I published it more than a year ago, there have been 20,000+ downloads. And I’m also under the impression that the number of downloads per day is steadily increasing. One would be tempted to conclude from this that the number of malware infections that disable Safe Mode is on the rise, but this is indirect evidence.

First of all, I believe the increase is due to search engines. As more and more sites link to the Safeboot blogpost, the page will rise in the ranking of search results. One can argue that visiting the Safeboot blogpost and downloading the SafeBoot.zip file are two different things: you can land on the page just out of curiosity, but if you download the registry fix file, then you’re surely infected with a Safe Mode disabling virus.

Well, not necessarily. From my interactions with people using my registry fix, I’ve observed that some of them apply this fix even if their Safe Mode keys are intact. They just have another PC problem (for example the CD drive doesn’t work anymore), and they hope that my fix will fix this too.

So I’m not sure that Safe Mode disabling malware is on the rise, but I do know that it’s becoming more sophisticated. As the first virus I analyzed would only delete the Safe Mode keys once, now there are viruses that delete the Safe Mode keys and monitor them, deleting them again if they are restored.

Ironically, another large group of people that visit my site are not in search of a solution to a malware infection, but are looking for malware! Here are some of the most popular search terms that lead to my blog:

  • download virus
  • virus download
  • download a virus
  • how to get a virus
  • get a virus
  • give me a virus

The reason that search engines direct users to my site when they search for a virus, is an unfortunate side-effect of my Google Adwords post. This is my most popular blogpost by far, and has been linked to by countless sites. Although I have offer no malware to download, this Adwords blogpost contains the words of the search terms and is highly referred to, so it ranks high in search engine results.

So if you’re landing on my blog via a search engine, it’s very likely you’re an infectee or an infector. 😉


  1. What does it say to be reading from RSS?

    Comment by Scott — Saturday 12 July 2008 @ 23:14

  2. More than a year ago, wordpress.com removed stats for RSS feeds, because (according to them) they were not reliable.

    Comment by Didier Stevens — Sunday 13 July 2008 @ 8:38

  3. Sometimes I happen across blog posts such as this and download the tool just to see how it works. Sometimes I download it just to have it “just in case” I will need it later. Since you can never really predict when such tools will truly be needed and it is better to have it on hand than to search around for it when that moment arrives. I wonder how many more people are out there like me…

    Comment by jamie — Sunday 13 July 2008 @ 13:10

  4. You’re certainly not alone, I know a couple of people who do this too

    Comment by Didier Stevens — Sunday 13 July 2008 @ 13:25

  5. I am one of those who have downloaded the safeboot.zip file. Thank you for that.

    Comment by drnsacharya — Sunday 10 August 2008 @ 7:31

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.