back to article People will happily run malware if paid ONE CENT – new study

Security white hats, despair: users will run dodgy executables if they are paid as little as one cent. Even more would allow their computers to become infected by botnet software nasties if the price was increased to five or 10 cents. Offer a whole dollar and you'll secure a herd of willing internet slaves. The demoralising …


This topic is closed for new posts.
  1. Mark 85

    Double-edged sword this is

    I despair at the gullibility and stupidity of where civilization is going with people like this. On the other hand, it also means that there will be work IT support types for a long time to come.

    I'm beginning to think PT Barnum was wrong. There isn't one born every minute.. more like 2 or 3 dozen.

    1. Trevor_Pott Gold badge

      Re: Double-edged sword this is

      "it also means that there will be work IT support types for a long time to come."

      Digital Janitor doesn't pay well, and in a lot of jurisdictions they're classified as an "essential service worker" and not allowed to unionize or strike. Yeah. This is great news. We can collectively keep fighting fires for a fraction of a bent pittance instead of moving on to something that provides real value and along with it at least the illusion that we'll get more pay.

      1. Chairo

        Re: Double-edged sword this is

        Isn't the "digital janitor" usually the engineer guy in the neighbourhood who will repair/clean up the messed up family PC for free, anyway? Otherwise there might be a nephew at hand who will be obliged to do it. (Said nephew might be part of the problem here, of course).

      2. auburnman

        Re: Double-edged sword this is

        Where are IT forbidden from striking? Would it affect overtime bans or work-to-rules?

        1. Trevor_Pott Gold badge

          Re: Double-edged sword this is

          Alberta, Canada. And yes, if IT were to attempt to work-to-rule, they'd probably get slapped down by a judge. Overtime bans...what? No such thing!

          IT workers here who manage to get into a union are few and far between...and they don't get into a union for IT workers. They either join the telecommunications workers union (the most hated union in our country) or the provincial/federal worker's union. And you can only join them if you work for specific companies.

          Everywhere else, in the private sector, your boss has the option of listing you as an 'essential worker' in your contract. That makes you exempt from all labour standards, from overtime to number of hours worked in a row to whether or not you get lunch breaks.

          Most people don't even realise it, but I've seen it used to devastating effect in the oil and gas industry, where finding IT techs willing to go out in the feild is rare. So once they have 'em, they work 'em almost to death. They're generally paid decently, but a well paid slave is still a slave.

          So yeah, digital janitors get a pretty shitty ride. At least here...and from my understanding, in a lot of other jurisdictions around the world too.

    2. Oninoshiko

      Re: Double-edged sword this is

      In fairness to PT Barnum, there where a few less humans making babies when he said that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Double-edged sword this is

        Current population levels suggest that 'making babies' has rather too cute connotations. Humans are somewhere between 'breeding' and 'breeding uncontrolled'. I doubt it'll slow down until we reach 'swarm and multiply' and humans either go the soylent route or have a cataclysmic adjustment.

        Yes, I did get out of bed on the grumpy side today.

  2. Chairo

    So people are gullibe and will do anything for a profit?

    This is really not new news, isn't it? Apart from forcing everyone in a tightly controlled walled garden, I don't see what could be done against it.

    Actually it could be a business model for mining coins. Pay the people 1c per hour and burn their electricity for mining. Someone with a fast graphics card could be paid slightly more. 2c, say.

    Perhaps it will become notorious enough to stop people from falling for this particular trap. Then again, there are probably enough people who don't pay for their electricity by themselves, so even this might not work.

    1. Grikath

      Re: So people are gullibe and will do anything for a profit?

      In other news: gravity is still working.

      I'm actually not surprised by the increase in infections in "secure" ( patched and Scanned/Firewalled) systems. Most PCs are set up by OEMs to patch and update automatically, with at least a decent free-version virus scanner/firewall combo, so even if a user is a total airhead, the system itself *should* more or less take care of itself.

      This, however also makes the "increase" in infected systems rather irrelevant, since the executable clearly needed user interaction to the point where it needed to get specific permissions to run, so the actual state of protection of the users' machine is rather moot. The only way to protect the system against that kind of behaviour is allowing the user no system at all.

      I must say though that the ...expectation.. the researchers have about any user having a clue at all about "processes running on their system" is rather laughable. The amount of processes and services that are set to start automatically, even from completely legal and logical software, is insane. Windows 7 is pretty well behaved, the mainstream AVs as well, but all the other stuff? Crud and fluff that eats memory, loads at startup and does "nothing" , and is a biatch to disable. ( some Adobe stuff needs a trip to services *and* registry to make it behave... And resets registry and services every time an update is offered ( not installed (!) ) ). And a normal user doesn't even know what "Services" are....

      Then there's spywareeermm sorry "Toolbars" that every other commonly accepted as "safe" software company flogs as part of the install process, "system checkers" as part of a normal install process that run in a separate install, and a minor sheaf of other stuff that will all pop up warnings from your system and that you have to click through to ignore as part of a normal install process. All from Big Names, and universally regarded as "safe".

      So the average user is not only unaware of what his/her system actually runs, but is also trained to hit the Ignore button on any warning popup his system presents to him, by the very companies that should have at least a passing interest in making sure the users' system is relatively safe and clean, if only to "enhance the Experience"...

      If there's any surprise, it's the sheer arrogance and/or cluelessness of the "researchers" in this case.

      1. Stevie

        Re: So people are gullibe and will do anything for a profit?

        [4 Grikath] Upvoted with oak leaves.

        My personal beef? Unecessary services:

        first in line: update checkers that should start based on system start do what they do and then fuck off. Everything gets so much faster on a windows machine once every invocation of a program doesn't result in an often pointless wait for The Word from homebaseDotCom - the timeouts when the wireless adapter is turned off are a particular annoyance. One might make a case for persistent AV update services and OS update checkers but OpenOffice? iTunes? Bloody laser printers?

        Second: "Helper" services that don't degrade properly e.g Bonjour that fills the log with stupid errors all day long instead of saying "oops, no network; I'll shut down knowing I'll restart when iTunes is launched".

        Third: Click-through addedvalueware such as the beyond fucktarded McAffee express edition or whatever it is that Adobe tries to foist off on one during any Adobe "update" and that will install itself even if you already have a full product McAffee suite running.

        Where's the Tylenol?

      2. Anonymous Coward
        Anonymous Coward

        Re: So people are gullibe and will do anything for a profit?

        Oracle Java install with unwanted toolbar. I'm really sure Ellison doesn't need the money; perhaps he enjoys the thought of how many people hate him.

  3. lansalot


    Users earned a gold star by running it in a VM... so they could possibly analyse it..?

    ... or more likely, get round the limitations of earning higher payouts, by being excluded because they'd taken part in the earlier cheaper ones...

  4. TopOnePercent

    The sooner internet access requires a basic competency test the better.

    1. Pascal Monett Silver badge

      Now THAT is the pure truth.

      Now all we need is an OS that can prevent someone from sending those stupid pseudo-heartwarming chain letters. Or any other sort of chain letter. Or anything, really.

      Until they have something interesting to say, that is.

      The silence would be deafening.

  5. Phil Endecott

    Thus was done on Mechanical Turk. I think it's a bit of a jump to claim that people who use mechanical turk are representative of the rest of us.

    They would also have an expectation that Amazon would not allow malware on the Turk platform.

  6. Sander van der Wal
    Thumb Up


    Excellent news!

    Finally there's a way to make money while you sleep. Not a lot of it, but that is because computing power is not really scarce. And given the fact that FB et al already have downloaded your address book and whatnot, these guys are better than FB. FB didn't give you any money, didn't they?

    On a more serious note, maybe the IT people should start to think of a way to have computers for other humans instead of computers for IT people? Companies are the only entities paying for your services, as the numerous complaints on these fora about having to give away free computer support for friends an family show.

    1. Anonymous Coward
      Anonymous Coward

      Re: Demoralizing?

      "On a more serious note, maybe the IT people should start to think of a way to have computers for other humans instead of computers for IT people?"

      I'm working on my prototype now. The GUI is a touchscreen with a large red button appearing on boot that says 'Shut Down'.

  7. Amorous Cowherder

    So to sum up...

    "A fool and their money are soon parted." and "One born every minute!"

  8. Anonymous Coward
    Anonymous Coward

    "which baited users with a benign Windows executable sold to users under the guise of contributing to a (fictitious) study."

    Wait, it was sold to users? So they paid for it? to earn one cent? How much was it?

  9. Anonymous Coward
    Anonymous Coward

    "which baited users with a benign Windows executable sold to users under the guise of contributing to a (fictitious) study."

    This puts a rather different blush on it.

    In this case, the people aren't deliberately downloading malware. They are downloading something to help someone with a study.

    Of course, it could still be malware, but is this really any different in principle to something like Seti@Home?

    1. Mage Silver badge


      You mean like the tool bars, codecs, Ad Ware removers that people install that are just malware?

  10. Truth4u


    I'm gunna claim the 1cent for infecting other people.

  11. Anonymous Coward
    Anonymous Coward

    Well, this story has ruined the start of my day!

    I guess advice like "Don't open attachments that you are not expecting to receive" and even "Nothing comes for free" is too cryptic for the public at large. Oh well, the future of the IT security industry is guaranteed.

    (Nice image of Picard and Riker facepalming though)

  12. Hollerith 1

    Already infected, why not make money?

    I would figure that, since I know my computer is stuffed full of malware despite all my apparent security, I might as well get paid for hosting it.

    1. Horridbloke

      Re: Already infected, why not make money?

      How about legal ramifications? I can't help thinking anyone knowingly offering their machine up to a dubious-looking botnet for reward is an accessory to any crimes committed via said botnet.

  13. Anonymous Coward
    Anonymous Coward

    Statistically weak?

    So 965 people out of 1714 ran the code. But the article doesnt tell us how many declined the offer entirely. If 100,000 people saw the offer and only 965 took it, then that 1% response rate would tell a different story.

    We are also not told if the 965 victims were the owners of the computers or just the users of them. Doesnt surprise me that people would accept a payment to run junk on their employers system. That is a more interesting spin....

    1. Tom 13

      Re: Statistically weak?

      And the premises were flawed from the get go.

      Use of the Mechanical Turk and linking the study to CMU both biased the study, especially as it was an actual CMU study. While I am not specifically familiar with Mechanical Turk, since it is on Amazon the assumption is that somebody with a hell of a lot more resources than I have has already scanned the applet for malware and passed it as legitimate. Failure to mention the study on any CMU website is also pretty meaningless. It's not the sort of thing you'd expect to find on their websites, or if it is, it will be so buried it is difficult to find.

      The bit about the UAC is a complete red herring. The UAC is only useful for drive-by malware. If you've downloaded it, you know it is going to pop up, and you know you're going to have to authorize it.

      If the program was even minimally well behaved, there's no cause to look further for malicious activity. The reality of the security situation right now is that you pick your preferred suite, install it, and count on them to detect the malware. So unless they were providing their code to the AV vendors for inclusion in the malware signatures, there's no cause for a typical user to question the applet.

      To get even a semblance of reality into this study they need to have a new name, release it through typical malware vectors (that is not Amazon, Chrome, or Apple app stores but possible dodgy sites or banner ads displayed on random web pages) including some drive-by installers. Collect the data from those instances and see what the results are.

      1. Mage Silver badge

        Re: banner ads displayed on random web pages

        Like Sourceforge?

        "The reality of the security situation right now is that you pick your preferred suite, install it, and count on them to detect the malware."

        Er no. Most AV STILL occasionally clobbers systems and still misses new threats and is still frequently bypassed by the User.

        We need a fresh approach. For a start I ought NEVER have to worry about clicking on stuff or visiting websites. If it's not something sensibly intended for the Browser it should offer to download (save file). You should NEVER EVER be able to click on stuff to run / install when using a Browser.

        One decent Bouncer at the front door instead of all the CPU draining "Security Ware" patrolling the corridors.

        "Noscript" helps but my friends complain that it takes too long to "train it" and that they worry they are missing some feature of the Site. (Yes probably Malware!).

        1. Tom 13


          Go back to petting your unicorns and hunting Yeti.

          You can't even train the average IT people to properly handle all the potential threats out there let alone approaching the average punter. You need a suite of protections. And yes you're always at risk. Yes it sucks. But it is reality. Deal with it.

This topic is closed for new posts.

Other stories you might like