Hundreds of users have clicked through to a Google AdWords advertisement offering to infect users with a virus, according to a blogger.
The experiment, run by Didier Stevens, a blogger who says he works for the consultancy group Contraste Europe, is the latest, if slightly puzzling development to reinforce the growing danger from drive-by downloads.
To see how easy it was to lure in users via Google's AdWords, Stevens bought the drive-by-download.info domain and placed an AdWords ad reading:
Is your PC virus-free?
Get it infected here!
Stevens has run the campaign for six months now, with 259,723 ad displays, and says he has had 409 clickthroughs.
The ad has cost him only 17 euros so far, which by Stevens' reckoning adds up to 4 euro cents per potentially compromised machine. Most of the systems visiting the site, 98 percent, ran Windows.
"I'm sure I could get much more traffic with a higher Google Adwords budget and a better-designed ad," Stevens said in a blog posting.
Stevens said he deliberately made the ad look fishy, but encountered no problems from Google. Google might counter that it took no action because the site is not actually dangerous - Stevens' site doesn't itself contain any malicious software.
Drive-by downloads, often placed on seemingly innocuous sites without the site owner's knowledge, exploit known vulnerabilities to place malicious software on a user's computer.
The sites are increasingly even making use of prominently placed advertisements on Google and elsewhere to lure in their victims.
Stevens' site is still running, but he decided to write up his results thus far because of recent publicity around the issue, including a Google study which found that hundreds of thousands of sites have now been infiltrated by drive-by download mechanisms.