I'm just taking a break from testing anti-spyware software using the new lab, and I found an interesting article by Didier Stevens, who has set up a Google advert that offers to infect your system with a virus. The advert links to a website he has set up, which doesn't actually do anything bad but does log how many people decide to click on an advert that says, "Is your PC virus-free? Get it infected here!" Hundreds of people have clicked on the advert, effectively volunteering to have their PCs infected.
The results from my anti-spyware tests are pretty depressing so far. Lots of popular programs are failing to detect brand new malware samples, which is a pretty similar situation to when I recently ran some anti-virus tests and found that products from the anti-virus market leaders were not the best by a long way. If anti-virus and anti-spyware programs are unable to detect masses of new malware then we are in trouble, because users are not able to rely on protection provided by software - they actually have to behave sensibly too. And clearly some users are so clueless that they are actually clicking on adverts that offer infections.
The two solutions I propose are respectively a) boring and b) unrealistic.
a) Users need to be educated about the dangers of messing around on the internet. Unfortunately, most internet users (I would guess) are not interested in knowing about such things. They want their free downloads now, and anything that gets in their way is a nuisance.
b) We need to introduce a PC driving licence, made available to users only after they have passed a test. You can't buy a PC without a valid licence, and it can be revoked from someone if they are caught using the internet without due care and attention.