Blogs

Didier Stevens has been getting a lot of buzz this week for an amusing (or alarming) experiment (YouTube video) to see if people would click on a Google text ad proudly trumpeting this offer:

Is your PC virus-free? Get it infected here!
drive-by-download.info

Result, after six months: "my ad was displayed 259,723 times and clicked on 409 times. That's a click-through-rate of 0.16%. My Google Adwords campaign cost me only €17 ($23). That's €0.04 ($0.06) per click or per potentially compromised machine. 98% of the machines ran Windows."

Anyone who clicked was taken to a functioning site at that URL but it didn't actually infect their PCs with malware; it just thanked them for visiting and logged the visit. Still, it makes a pretty good case drive-by downloads make sense from a bottom-line perspective.

As Annalee Newitz noted on Wired's The Underwire Monday:

It's hard to say whether people clicked on the ad because they assumed it was a joke, or because they simply misread it as an anti-virus ad. Still, the numbers are pretty scary. The other shocker here is that Google, which does quite a bit of policing on ad content, didn't notice the scammy ad.

Google did notice after all the recent publicity: Stevens' little experiment was shut down this week.

On a related note, a Google study of 4.5 million Web pages (PDF) found that 1 in 10 could infect an unsuspecting user's PC with a drive-by download, Silicon.com reported. The problem is escalating, with an average of 8,000 new URLs containing malware appearing each week in April 2007.