Research Project Pays People To Download, Run Executables

msm1267 (2804139) writes Incentivized by a minimal amount of cash, computer users who took part in a study were willing to agree to download an executable file to their machines without questioning the potential consequences. The more cash the researchers offered, capping out at $1, the more people complied with the experiment. The results toss a big bucket of cold water on long-standing security awareness training advice that urges people not to trust third-party downloads from unknown sources in order to guard the sanctity of their computer. A Hershey bar or a Kennedy half-dollar, apparently, sends people spiraling off course pretty rapidly and opens up a potential new malware distribution channel for hackers willing to compensate users. The study was released recently in a paper called: "It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice." While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1.

Did they say HOW to run it?

[damn_registrars]

I would run it in a dosbox or VM for a dollar.

Re:Did they say HOW to run it?

[fuzzyfuzzyfungus]

"Because the Red Pill VM-detection routine [28] only works reliably on single-CPU computers, we also collected information on the number of CPUs. Using Red Pill, we detected the presence of a VM on a single participant’s machine. Examining each partic- ipants’ process lists, we were able to confirm that this participant was running VMware. Additionally, we detected VMware Tools running on an additional fifteen machines (sixteen in total), and Parallels Tools running on a single machine. Thus, we can con- firm that at least seventeen participants (1.8% of 965) took the precaution of using a VM to execute our code. Eleven of these participants were in the $1.00 condition, five were in the $0.50 condition, and one was in the $0.01 condition. The information we collected on participants’ motherboards was not useful in determining VM usage."

Apparently you weren't the only one who thought so; but the numbers were small. 16 VMware VMs, 1 Parallels (which, since the study required windows to participate, may have been a security measure or may have been a mac user willing to hose his 'everything I need windows for' machine...)

No word, obviously, on anybody who is a bit more subtle about their VM usage; but I'd be shocked if that number is high.

Re:Did they say HOW to run it?

In the article, they describe how the program gathered information from the computer it was running on - including whether or not it was a VM.

Also, the article didn't have the results. You have to click on the PDF. The highest percentage, those who were paid $1.00, was only 43% (474 out of 1105).

Re:Did they say HOW to run it?

TFA says they did check if it was being run in a VM.

Re:Did they say HOW to run it?

Or just another bare metal box, reformat and or trash when done. (they cant detect this as not real hardware, since... well, it is real hardware)

Re:Did they say HOW to run it?

It's pretty easy to evade VM detection, but there is no way in hell I'd do it for a dollar, but I'd probably do it for a few Vicodin.

Re:Did they say HOW to run it?

So, why not run it on a throwaway machine? Many nerds have unused machines lying around. I would run this on something like that, isolated from the rest of my LAN of course, but I wouldn't' run it on my primary workstation.

Pretty much the same thing as running on a VM - especially if you maintain clean install ghost images or something similar.

Re:Did they say HOW to run it?

[John+Bokma]

And you would all do that for just a buck?

Re:Did they say HOW to run it?

When high-profile data breaches hit the news, people often ask how a company who has so much invested in their offerings would make such grossly negligent mistakes in their implementation of security.

The answer is simple enough: a penny saved is a penny earned. And for large enterprises, we are talking about a lot of pennies.

Re:Did they say HOW to run it?

I'd probably do it for a few Vicodin.

At first i read that as vida-coin, some new cryptocurrency, but it was the old "pill" currency

Re:Did they say HOW to run it?

[pushing-robot]

Who said anything about a buck?

1. Create script to register Amazon Turk account and spin up EC2 instance for an hour
2. while (true) { run_script(); }
3. Profit!

Re:Did they say HOW to run it?

[Rich0]

And you would all do that for just a buck?

Heck, some disgruntled employees would pay them a buck for the payload to run on their work PC that might cause their employer a huge loss... :)

Re:Did they say HOW to run it?

[Runaway1956]

I didn't take part in this little thing. But, I'll mention that I have downloaded malware, intentionally, just to look at it. "Hey, Dad, I found a site that does a driveby installation of crap. Don't go there!" So, I load the site, let it do it's thing, find and decompile the executable, nod my head, and say, "That's pretty slick - I wish they'd find the bastard and castrate him."

It should be noted that almost nothing runs on my locked down Unix-like boxes. Sure, Javascript enabled allows them to hijack the browser, and take it over, but that doesn't take over the system!

Re:Did they say HOW to run it?

[John+Bokma]

Still sounds like too much effort for too little profit. YMMV, of course.

Re:Did they say HOW to run it?

And you'd get owned. Dosbox isn't meant for security. It can mount a path and modify anything your user can modify.

Re:Did they say HOW to run it?

[damn_registrars]

Dosbox isn't meant for security.

Tue, but that doesn't mean you cannot use it securely.

It can mount a path and modify anything your user can modify.

True, but it doesn't mount much of anything by default. If you mount your entire hard drive at startup in dosbox you're an idiot and deserve what you get.

Re:Did they say HOW to run it?

[FatdogHaiku]

http://xkcd.com/350/

Re:Did they say HOW to run it?

Turk accounts, amusingly, require passing a capcha. Which I guess you could farm out, until you get caught.

Re:Did they say HOW to run it?

So, their next research project is how many are willing to download and run a PDF file...

Probably almost as many, though I guess that a few more people know how dangerous PDF files are. Not only can they contain executable code, which runs in a mostly insecure sandbox, but in some cases they even manage to run Adobe Reader. And once that thing is finished starting up, your computer is going to be so outdated you may as well buy a new one. Which is of course a lot more expensive than needing to reinstall Windows because an exe file turned out to be malware.

Re:Did they say HOW to run it?

[X0563511]

Sure, Javascript enabled allows them to hijack the browser, and take it over, but that doesn't take over the system!

Bad assumption, as you'll find out one day when a privilege escalation attack you weren't aware of succeeds and they pwn you. Hell, a few years back there was a bug with libpng that would allow that just by the browser rendering the image!

Re:Did they say HOW to run it?

[Runaway1956]

Okay - sometimes malware does unexpected things. I lose the VM that I'm running. Is that privilege escalation going to give it control of VirtualBox, and then the host system?

I suppose it's possible, but curiosity causes me to take chances now and then.

Besides - the boxes that I play on aren't critical. I wouldn't do this kind of stupid shit on a production machine, after all.

Re:Did they say HOW to run it?

[fuzzyfuzzyfungus]

I suspect that their implementation wasn't robust enough to resist 'one skilled in the art'; but the researchers did arrange it so that, to get paid, the participant had to download the executable, allow it to run for 60 minutes (the cover story was that it was some sort of distributed computing client software), at which time it would give them a code that they could redeem for the amount of money the Turk job specified.

The software did chat over the network (they were interested to see if people would blithely click through firewall warnings); but I didn't see any specific mention of whether the code could be inferred purely by attacking the binary, or if some of the network traffic included data vital to constructing the code.

Rambling aside: they did take measures to prevent mere downloads as being counted as 'runs'; but I wouldn't bet all that much money that they could distinguish a real run from a 'download, fire up IDA Pro, make it talk, spoof a bit of traffic to the researcher's host'. On the other hand, given that the highest-paid group received $1, I hope the guy who did that really enjoys disassembling things...

Well DOH!

I'll run the executable on some random machine that I've already pwnd.

Squirrel!

It is so easy to get distracted these days ...

Security can be so boring.

wasnt this on ./ before ?

i remember i read this somewhere before i tought i read it here on ./

How about Bitcoin?

[KDN]

I'd be curious how much Bitcoin would it take to tempt people.

Re:How about Bitcoin?

1,000 Satoshis.

Re:How about Bitcoin?

I don't know. It depends if you're also willing to convert the bitcoins to Euros or US Dollars. X-D

Business plan

[rodrigoandrade]

1. Set up VM
2. Download all the crap they ask me to
3. Profit

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

Re:Business plan

1. Set up VM
2. Download all the crap they ask me to
3. Profit

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

They usually do it for free.

Re:Business plan

[Tom]

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

That, exactly, was the question. The research paper is the answer.

Re:Business plan

[coinreturn]

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

That depends on how many boobies the idiot can see in for the dollar.

Personnaly I would automate the process

Where can I apply?

1) Copy fresh VM
2) Boot it up
3) Download and Run .exe
4) 1$ !
5) Close VM
6) Overwrite with fresh (backup) VM
7) Goto 1.

And all that while I'm at work!

Re:Personnaly I would automate the process

oh yeah. $1 for half an hour of work. Are you a slave?

Re:Personnaly I would automate the process

[JazzLad]

That's a dollar on top of my existing $5/hr that my employer pays me - a 20% raise!


;)

Re:Personnaly I would automate the process

Actually, that would be a 40% raise since you can do this twice an hour by the previous AC's reckoning!

This is why evil always triumphs

Because good is dumb...

Re:This is why evil always triumphs

I saw a documentary called Iron Man 3 the other night that proves you wrong.

I'll upgrade my flash player

[jolyonr]

for $5!

Re:I'll upgrade my flash player

[PReDiToR]

I'd install Flash in a VM for £20 ...

Re:I'll upgrade my flash player

How much to not put an A-circumflex before your pound symbol?

Re: I'll upgrade my flash player

[jolyonr]

Don't you accept Unicode Pounds over there?

Anything with gambling would do equally well

[jphamlore]

From what I have seen from some of my relatives, any download related to gambling can inspire similar throwing caution to the wind.

Re:Anything with gambling would do equally well

Or "your player is out of date. Click here" on some shady sports-streaming website.

Nope, but it was through Amazonâ(TM)s Mechani

[khasim]

Because it was through Amazonâ(TM)s Mechanical Turk, I'd take any "findings" with a grain of salt.

All About the Georges

[FranklinWebber]

> 'a paper called: "It's All About The Benjamins: An empirical study...'

> 'cash the researchers offered, capping out at $1, ...'

Because they never offered more than one "George", their paper's title is clearly overstated.

Re:All About the Georges

[drinkypoo]

IT IS ENTIRELY REFERENTIAL

(insert picture of old dude here)

TO THE PORTRAITS OF WASHINGTON

(in this case, that is)

Personnaly I would automate the process

Or perhaps another way ...

1) Go to local library
2) Download all the crap and run
3) $$$
4) Go away and don't come back

consent form

From page 5 of the PDF:

Thus, all participants were required to click through a consent form. Beyond the consent form, there was no evidence that they were participating in a research study

Did the consent form say that you agree to allow CMU to do bad things to your computer? If not, then most people know that free money is free money (and sue the university for megadollars if things go bad). All you had to do was raise the price high enough that they believe they're getting paid fairly for their time. Some may have even been hoping for a virus so they could sue.

Duh

[rabtech]

People were happy to install ActiveX controls to "Punch the Monkey" in 1998. Nothing has changed since then.

It's also why the Android security model is a complete joke and always has been.

Any security model that requires users to make perfect security decisions is an automatic failure because there is no "undo", so one mistake after 10 years of perfect vigilence owns your entire machine.

Re:Duh

I'm not sure about the reaction by /. users to this study?

These are the very people who are the problem when it comes to not caring about privacy or security. The problem I have with any study is they are biased. First off it depends on the region or area of a country you target? Their employment, salary, age, gender, ect.. And there are so many other variables that make these studies just plain dumb!

I think it would be common knowledge to assume a fair number of arrogant/ignorant people would do something like this, without the need for a study. You need look no further then human history to see the dumb shit people are willing to do for a nothing dollar, or a f'in candy bar.

That's one dollar more than it takes

[Opportunist]

Dancing pigs accomplish the same. Actually, more likely even, because people, despite being used to getting free stuff from the internet, are still kinda wary if you actually pay them to do anything.

It's all about the ...

[gQuigs]

https://www.youtube.com/watch?...

It's a world-wide study. Not an american one.

[petes_PoV]

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

There are plenty of people for whom a dollar is a lot of money. Don't forget, thus was a world wide study - not one limited to your particular country. The paper states that along with running a program, there was a questionnaire (I wonder what languages it was available in, and also what languages the Mechanical Turk posting was wtitten in - surely that is a tremendous skew to the results?) and that 40% of the survey respondents were from India - where english is quite popular (more english speakers than any other country in the world).

So, since purchasing power of the $1 wasn't taken into account, the results are flawed, since the reward will vary so much depending on the wealth of the individuals taking part.

Re:It's a world-wide study. Not an american one.

[unrtst]

So, since purchasing power of the $1 wasn't taken into account, the results are flawed, since the reward will vary so much depending on the wealth of the individuals taking part.

From TFS, "While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1."

So, for $0.01, fewer than 50% of respondents (let's just guess around 45%... I'm not going to bother reading the article, but if it was only 10%, then they wouldn't have said "fiewer than half").
And for $0.50, 58%.
And for $1, 64%.

Generally, getting lots of people infected is not an attempt to get EVERYONE infected, and at $1 it was only 68% anyway... so just spend your money more wisely and only offer $0.01, but hit a MUCH larger audience. The math of it:

Spend $10.
Offering $1 = 10 offers = 6.4 people
Offering $0.01 = 1000 offers = 450 people

Sorry, but let's just put aside the purchasing power stuff for a minute, since $0.01 isn't going to buy much anywhere (even if it does buy a little more in third world countries).

Hmmm

[TheCarp]

Less than half for .01, 58% for .50, and 68% for 1.0? Seems like the single penny was the best value, possibly followed by the 50 cents. However, even if we assume "less than half" is as low as 40%, $1 is 10000% more payment for less than a 50% increase!

Re:Hmmm

[petes_PoV]

But the demographics of the downloaders varied with the amount offered. So, at the lowest level there were very few westerners who took the bait. As the reward increased, the proportion grew. If you were planning to use a similar process to grab some confidential or profitable data off the participant's machine, you should take into account the likelihood of poor vs. rich participants' computers having anything you would be looking for.

Biased sample

[penguinoid]

This was done via the Mechanical Turk, so it's already filtered for people willing to do computery things for money. It would be a different story if this was a random website with the author anonymous.

Re:Biased sample

[rogoshen1]

i think you're missing the point.. it's not about the payout, or the self selected sample.

The takeaway should be that people will be less than cautious when it comes to getting some perceived benefit. That psychology is universal, the only variable being what is sufficient motivation. (free pr0n, free movies/tv shows/music etc, or in this case poor indians and $1.)

Re:Biased sample

Not only is it people who will do computery things for money, they trust Mechanical Turk to not harm their computer. If .01 is about 50% I am surprised that $1 is only 68%. Seems to me it should be higher.

Re:Biased sample

136% would run it for $2, which means the act of running the malware increases the amount of test subjects.

Re:Biased sample

[Tom]

It is incredibly difficult to get a proper representative sample online, so some self-selection effects will usually be there. This is a better selection than using a topic-specific website.

Re:Nope, but it was through Amazonâ(TM)s Mech

Do they realize that some of the people may have done it on frozen machines or junk machines? Maybe they have a spare computer that's for nothing but potentially malicious applications.

Surprised ? Don't be ...

[nomad63]

What do you think that most of those websites sends you the surveys to fill out for a few cents running ? Flash ? How much do you know about flash, unless you are a web developer of course, to say if what you are downloading is secure enough, not to steal your identity ? Or when you click on coupons.com etc. coupon printer apps the get downloaded. Once you download and run them, you are giving the app, free rein of your computer. Once run, they are no longer governed by the security controls of your browser. This is how they get to stop you from printing unlimited number of free coke coupons, by hiding the information, somewhere on your storage, even you don't know how to find and delete. It's all about the Benjamins baby.

Anecdote: Do you sleep with me if I paid you $100,000 ? She answers "ummm, yeah, for 100K, I'd sleep with you"; how about if I paid you $10. She answers angrily "what do you think ? you think I'm a whore ?". Oh yes, we have established you are a prostitute. I am just trying to figure out your price.

This ain't anything different. Pay me few bucks and I will surrender my security to you. Then call the IT support, when my computer is running slow and acting weird. No harm to me.

finally!

[Tom]

Thank you. I've wanted to run an experiment like this for years, but couldn't figure out to get a good sample audience.

The result is completely non-surprising. Security Awareness training is 90% pointless waste of money, and I regularily make enemies at conferences when I say it, because there's a ton of money in this snake oil, mostly because you can repeat it ad infinitum, once you've sold a client you can do one every year or twice a year or even get a whole "ongoing awareness process" going.

There are a big number of problems with the whole thing, most of them more psychological than technical. But both from the experience of people doing social engineering pentesting and from empirical data on actual breaches, it is clear that training or not makes not very much difference. Most companies would be a lot better off with extreme basic training to a) satisfy regulatory requirements and b) give the employees the absolute essentials, basically the IT security equivalent of "don't look into laser with remaining eye". Everything beyond that is a waste of money.

If you want help convincing your boss, CISO, etc. to spend that money on something that actually has an effect, and you're in Europe, let me know. Consulting companies out of instead of into pointless expenditures is great fun.

Re:Nope, but it was through Amazonâ(TM)s Mech

Asking participants to download and run software is a violation of Mechanical Turk terms. I know, because I do tasks there and I think I may have turned this task down! Unless they have some way of knowing how many people turned the task down once they knew it involved downloading software (I didn't read the whole paper), I would question the usefulness of the results.

They forgot the most important question:

[Zephyn]

What would you download for a Klondike Bar?

Re: Nope, but it was through Amazonâ(TM)s Mec

[Radish03]

A quick 50 cent or $1 task on mturk could be the highlight of someone's afternoon, when one is stuck thinking in terms of relative value, after tens or hundreds of nickel and dime (or less) tasks.

mechanical turk??

a lot of the programs for offering money up to $1 to do simple tasks, have their own rules... like people have to complete at least $1 worth of tasks every day for 10 days to prove they aren't a bot and to prove that the first 9 people don't complain about your work.

so the users of those systems are already being incentivized to do something... if they don't do something, they lose their account... so i think this study is more about the economics of the "small task for small pay" sites.

the people who are full timers on those sites are probably smart enough to do everything in VM sandboxes.

There's no such word as "incentivize".

[XanC]

We already have "incite".

Re:There's no such word as "incentivize".

For the record "incite" and "incent" are two different words. And "incentivize" is indeed a word. [1] [2]

[1] http://en.wiktionary.org/wiki/incentivize
[2] http://www.merriam-webster.com/dictionary/incentivize

Re:There's no such word as "incentivize".

[XanC]

Neither "incent" nor "incentivize" are words. Using them makes you look illiterate.

Dated research?

[userw014]

When I read the paper, I didn't see anything to suggest a date after 2010. And as the paper says, this only covers workstation computers - Windows/XP through Windows/7. No tablets or smart-phones, or other app-store like environments.

I suspect that if anything, current behavior - influenced by app-store like environments - is even worse. You could probably get someone to run your mystery app just by promising them access to another mystery app.

Data is likely misinterpreted

[Reeznarch]

There's a fairly decent community of people who make money using Mturk. They've been doing these types of jobs for years now and have systems in place to stop malware, generally through a blacklisting process. There is also a widely accepted rule that low paying work is to be shunned - nobody wants to work for a sweatshop, whether it be online or otherwise. The general lowest people will work for is 10 cents a minute. It's very much like a union, people depend on Mturk for money and want to make the most out of their time as possible. I don't see mention of any of this in the article, which pretty much invalidates the entire study for me.

Dancing bunnies

I bet you can get the percentage way higher by instead of a cash incentive, promising the user a video of dancing bunnies.

http://blogs.msdn.com/b/larryosterman/archive/2005/07/12/438284.aspx

Excerpt: ... what happens when a user receives an email message that says "click here to see the dancing bunnies".

The user wants to see the dancing bunnies, so they click there. It doesn't matter how much you try to disuade them, if they want to see the dancing bunnies, then by gum, they're going to see the dancing bunnies. It doesn't matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they're going to go and see the dancing bunny.

I didn't see this coming....

... so people do stupid things for money? Gosh.