Benedelman: Who Profits from Security Holes?

I have a feeling that this article from, Who Profits from Security Holes?, is going to get a lot of traction on certain blogs and news sites:

How bad is this problem? How much junk can get installed on a user’s PC by merely visiting a single site? I set out to see for myself — by visiting a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP), and by recording what programs that site caused to be installed on my PC. In the course of my testing, my test PC was brought to a virtual stand-still — with at least 16 distinct programs installed. I was not shown licenses or other installation prompts for any of these programs, and I certainly didn’t consent to their installation on my PC.

Ironically, I just gave a workshop session on malware to some non-profit organisations. In recent months, I’ve had to change it from being exclusively on virus issues, and now it’s about 50% on spyware. This was a direct result of the number of technical support calls I’ve received recently: about 3/4 of them were problems related to spyware infestation, including pornographic pop-ups, multiple “search-bars”, frequent slow-downs, instability, and all the other usual suspects. Most of the time, the caller isn’t even aware of what spyware is.

In the session, I find it useful to talk about spyware as a pretty flower you find in a field and bring home to plant in your garden, only to find its bloom fading fast, its roots choking out the rest of your plants and its runners spreading to the neighbours’ gardens. Most of the participants don’t understand how networks and executables work, but they understand the nature of a weed. I can’t think of a better comparison.