Research Project Pays People To Download, Run Executables

msm1267 (2804139) writes Incentivized by a minimal amount of cash, computer users who took part in a study were willing to agree to download an executable file to their machines without questioning the potential consequences. The more cash the researchers offered, capping out at $1, the more people complied with the experiment. The results toss a big bucket of cold water on long-standing security awareness training advice that urges people not to trust third-party downloads from unknown sources in order to guard the sanctity of their computer. A Hershey bar or a Kennedy half-dollar, apparently, sends people spiraling off course pretty rapidly and opens up a potential new malware distribution channel for hackers willing to compensate users. The study was released recently in a paper called: "It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice." While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1.

Did they say HOW to run it?

[damn_registrars]

I would run it in a dosbox or VM for a dollar.

Re:Did they say HOW to run it?

[fuzzyfuzzyfungus]

"Because the Red Pill VM-detection routine [28] only works reliably on single-CPU computers, we also collected information on the number of CPUs. Using Red Pill, we detected the presence of a VM on a single participant’s machine. Examining each partic- ipants’ process lists, we were able to confirm that this participant was running VMware. Additionally, we detected VMware Tools running on an additional fifteen machines (sixteen in total), and Parallels Tools running on a single machine. Thus, we can con- firm that at least seventeen participants (1.8% of 965) took the precaution of using a VM to execute our code. Eleven of these participants were in the $1.00 condition, five were in the $0.50 condition, and one was in the $0.01 condition. The information we collected on participants’ motherboards was not useful in determining VM usage."

Apparently you weren't the only one who thought so; but the numbers were small. 16 VMware VMs, 1 Parallels (which, since the study required windows to participate, may have been a security measure or may have been a mac user willing to hose his 'everything I need windows for' machine...)

No word, obviously, on anybody who is a bit more subtle about their VM usage; but I'd be shocked if that number is high.

Re:Did they say HOW to run it?

[John+Bokma]

And you would all do that for just a buck?

Re:Did they say HOW to run it?

[pushing-robot]

Who said anything about a buck?

1. Create script to register Amazon Turk account and spin up EC2 instance for an hour
2. while (true) { run_script(); }
3. Profit!

Re:Did they say HOW to run it?

[Rich0]

And you would all do that for just a buck?

Heck, some disgruntled employees would pay them a buck for the payload to run on their work PC that might cause their employer a huge loss... :)

Re:Did they say HOW to run it?

[Runaway1956]

I didn't take part in this little thing. But, I'll mention that I have downloaded malware, intentionally, just to look at it. "Hey, Dad, I found a site that does a driveby installation of crap. Don't go there!" So, I load the site, let it do it's thing, find and decompile the executable, nod my head, and say, "That's pretty slick - I wish they'd find the bastard and castrate him."

It should be noted that almost nothing runs on my locked down Unix-like boxes. Sure, Javascript enabled allows them to hijack the browser, and take it over, but that doesn't take over the system!

Re:Did they say HOW to run it?

[John+Bokma]

Still sounds like too much effort for too little profit. YMMV, of course.

Re:Did they say HOW to run it?

[damn_registrars]

Dosbox isn't meant for security.

Tue, but that doesn't mean you cannot use it securely.

It can mount a path and modify anything your user can modify.

True, but it doesn't mount much of anything by default. If you mount your entire hard drive at startup in dosbox you're an idiot and deserve what you get.

Re:Did they say HOW to run it?

[FatdogHaiku]

http://xkcd.com/350/

Re:Did they say HOW to run it?

[X0563511]

Sure, Javascript enabled allows them to hijack the browser, and take it over, but that doesn't take over the system!

Bad assumption, as you'll find out one day when a privilege escalation attack you weren't aware of succeeds and they pwn you. Hell, a few years back there was a bug with libpng that would allow that just by the browser rendering the image!

Re:Did they say HOW to run it?

[Runaway1956]

Okay - sometimes malware does unexpected things. I lose the VM that I'm running. Is that privilege escalation going to give it control of VirtualBox, and then the host system?

I suppose it's possible, but curiosity causes me to take chances now and then.

Besides - the boxes that I play on aren't critical. I wouldn't do this kind of stupid shit on a production machine, after all.

Re:Did they say HOW to run it?

[fuzzyfuzzyfungus]

I suspect that their implementation wasn't robust enough to resist 'one skilled in the art'; but the researchers did arrange it so that, to get paid, the participant had to download the executable, allow it to run for 60 minutes (the cover story was that it was some sort of distributed computing client software), at which time it would give them a code that they could redeem for the amount of money the Turk job specified.

The software did chat over the network (they were interested to see if people would blithely click through firewall warnings); but I didn't see any specific mention of whether the code could be inferred purely by attacking the binary, or if some of the network traffic included data vital to constructing the code.

Rambling aside: they did take measures to prevent mere downloads as being counted as 'runs'; but I wouldn't bet all that much money that they could distinguish a real run from a 'download, fire up IDA Pro, make it talk, spoof a bit of traffic to the researcher's host'. On the other hand, given that the highest-paid group received $1, I hope the guy who did that really enjoys disassembling things...

Squirrel!

It is so easy to get distracted these days ...

Security can be so boring.

wasnt this on ./ before ?

i remember i read this somewhere before i tought i read it here on ./

How about Bitcoin?

[KDN]

I'd be curious how much Bitcoin would it take to tempt people.

Business plan

[rodrigoandrade]

1. Set up VM
2. Download all the crap they ask me to
3. Profit

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

Re:Business plan

1. Set up VM
2. Download all the crap they ask me to
3. Profit

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

They usually do it for free.

Re:Business plan

[Tom]

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

That, exactly, was the question. The research paper is the answer.

Re:Business plan

[coinreturn]

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

That depends on how many boobies the idiot can see in for the dollar.

I'll upgrade my flash player

[jolyonr]

for $5!

Re:I'll upgrade my flash player

[PReDiToR]

I'd install Flash in a VM for £20 ...

Re: I'll upgrade my flash player

[jolyonr]

Don't you accept Unicode Pounds over there?

Anything with gambling would do equally well

[jphamlore]

From what I have seen from some of my relatives, any download related to gambling can inspire similar throwing caution to the wind.

Nope, but it was through Amazonâ(TM)s Mechani

[khasim]

Because it was through Amazonâ(TM)s Mechanical Turk, I'd take any "findings" with a grain of salt.

All About the Georges

[FranklinWebber]

> 'a paper called: "It's All About The Benjamins: An empirical study...'

> 'cash the researchers offered, capping out at $1, ...'

Because they never offered more than one "George", their paper's title is clearly overstated.

Re:All About the Georges

[drinkypoo]

IT IS ENTIRELY REFERENTIAL

(insert picture of old dude here)

TO THE PORTRAITS OF WASHINGTON

(in this case, that is)

Duh

[rabtech]

People were happy to install ActiveX controls to "Punch the Monkey" in 1998. Nothing has changed since then.

It's also why the Android security model is a complete joke and always has been.

Any security model that requires users to make perfect security decisions is an automatic failure because there is no "undo", so one mistake after 10 years of perfect vigilence owns your entire machine.

That's one dollar more than it takes

[Opportunist]

Dancing pigs accomplish the same. Actually, more likely even, because people, despite being used to getting free stuff from the internet, are still kinda wary if you actually pay them to do anything.

It's all about the ...

[gQuigs]

https://www.youtube.com/watch?...

It's a world-wide study. Not an american one.

[petes_PoV]

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

There are plenty of people for whom a dollar is a lot of money. Don't forget, thus was a world wide study - not one limited to your particular country. The paper states that along with running a program, there was a questionnaire (I wonder what languages it was available in, and also what languages the Mechanical Turk posting was wtitten in - surely that is a tremendous skew to the results?) and that 40% of the survey respondents were from India - where english is quite popular (more english speakers than any other country in the world).

So, since purchasing power of the $1 wasn't taken into account, the results are flawed, since the reward will vary so much depending on the wealth of the individuals taking part.

Re:It's a world-wide study. Not an american one.

[unrtst]

So, since purchasing power of the $1 wasn't taken into account, the results are flawed, since the reward will vary so much depending on the wealth of the individuals taking part.

From TFS, "While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1."

So, for $0.01, fewer than 50% of respondents (let's just guess around 45%... I'm not going to bother reading the article, but if it was only 10%, then they wouldn't have said "fiewer than half").
And for $0.50, 58%.
And for $1, 64%.

Generally, getting lots of people infected is not an attempt to get EVERYONE infected, and at $1 it was only 68% anyway... so just spend your money more wisely and only offer $0.01, but hit a MUCH larger audience. The math of it:

Spend $10.
Offering $1 = 10 offers = 6.4 people
Offering $0.01 = 1000 offers = 450 people

Sorry, but let's just put aside the purchasing power stuff for a minute, since $0.01 isn't going to buy much anywhere (even if it does buy a little more in third world countries).

Hmmm

[TheCarp]

Less than half for .01, 58% for .50, and 68% for 1.0? Seems like the single penny was the best value, possibly followed by the 50 cents. However, even if we assume "less than half" is as low as 40%, $1 is 10000% more payment for less than a 50% increase!

Re:Hmmm

[petes_PoV]

But the demographics of the downloaders varied with the amount offered. So, at the lowest level there were very few westerners who took the bait. As the reward increased, the proportion grew. If you were planning to use a similar process to grab some confidential or profitable data off the participant's machine, you should take into account the likelihood of poor vs. rich participants' computers having anything you would be looking for.

Re:Personnaly I would automate the process

[JazzLad]

That's a dollar on top of my existing $5/hr that my employer pays me - a 20% raise!


;)

Biased sample

[penguinoid]

This was done via the Mechanical Turk, so it's already filtered for people willing to do computery things for money. It would be a different story if this was a random website with the author anonymous.

Re:Biased sample

[rogoshen1]

i think you're missing the point.. it's not about the payout, or the self selected sample.

The takeaway should be that people will be less than cautious when it comes to getting some perceived benefit. That psychology is universal, the only variable being what is sufficient motivation. (free pr0n, free movies/tv shows/music etc, or in this case poor indians and $1.)

Re:Biased sample

[Tom]

It is incredibly difficult to get a proper representative sample online, so some self-selection effects will usually be there. This is a better selection than using a topic-specific website.

Surprised ? Don't be ...

[nomad63]

What do you think that most of those websites sends you the surveys to fill out for a few cents running ? Flash ? How much do you know about flash, unless you are a web developer of course, to say if what you are downloading is secure enough, not to steal your identity ? Or when you click on coupons.com etc. coupon printer apps the get downloaded. Once you download and run them, you are giving the app, free rein of your computer. Once run, they are no longer governed by the security controls of your browser. This is how they get to stop you from printing unlimited number of free coke coupons, by hiding the information, somewhere on your storage, even you don't know how to find and delete. It's all about the Benjamins baby.

Anecdote: Do you sleep with me if I paid you $100,000 ? She answers "ummm, yeah, for 100K, I'd sleep with you"; how about if I paid you $10. She answers angrily "what do you think ? you think I'm a whore ?". Oh yes, we have established you are a prostitute. I am just trying to figure out your price.

This ain't anything different. Pay me few bucks and I will surrender my security to you. Then call the IT support, when my computer is running slow and acting weird. No harm to me.

finally!

[Tom]

Thank you. I've wanted to run an experiment like this for years, but couldn't figure out to get a good sample audience.

The result is completely non-surprising. Security Awareness training is 90% pointless waste of money, and I regularily make enemies at conferences when I say it, because there's a ton of money in this snake oil, mostly because you can repeat it ad infinitum, once you've sold a client you can do one every year or twice a year or even get a whole "ongoing awareness process" going.

There are a big number of problems with the whole thing, most of them more psychological than technical. But both from the experience of people doing social engineering pentesting and from empirical data on actual breaches, it is clear that training or not makes not very much difference. Most companies would be a lot better off with extreme basic training to a) satisfy regulatory requirements and b) give the employees the absolute essentials, basically the IT security equivalent of "don't look into laser with remaining eye". Everything beyond that is a waste of money.

If you want help convincing your boss, CISO, etc. to spend that money on something that actually has an effect, and you're in Europe, let me know. Consulting companies out of instead of into pointless expenditures is great fun.

They forgot the most important question:

[Zephyn]

What would you download for a Klondike Bar?

Re: Nope, but it was through Amazonâ(TM)s Mec

[Radish03]

A quick 50 cent or $1 task on mturk could be the highlight of someone's afternoon, when one is stuck thinking in terms of relative value, after tens or hundreds of nickel and dime (or less) tasks.

There's no such word as "incentivize".

[XanC]

We already have "incite".

Re:There's no such word as "incentivize".

[XanC]

Neither "incent" nor "incentivize" are words. Using them makes you look illiterate.

Dated research?

[userw014]

When I read the paper, I didn't see anything to suggest a date after 2010. And as the paper says, this only covers workstation computers - Windows/XP through Windows/7. No tablets or smart-phones, or other app-store like environments.

I suspect that if anything, current behavior - influenced by app-store like environments - is even worse. You could probably get someone to run your mystery app just by promising them access to another mystery app.

Data is likely misinterpreted

[Reeznarch]

There's a fairly decent community of people who make money using Mturk. They've been doing these types of jobs for years now and have systems in place to stop malware, generally through a blacklisting process. There is also a widely accepted rule that low paying work is to be shunned - nobody wants to work for a sweatshop, whether it be online or otherwise. The general lowest people will work for is 10 cents a minute. It's very much like a union, people depend on Mturk for money and want to make the most out of their time as possible. I don't see mention of any of this in the article, which pretty much invalidates the entire study for me.