SophosLabs blog

Back in May, we posted some stats on the prevalence of Troj/JSRedir-R. Last week, I asked was Mal/Iframe-N: The next big threat?. Looking through our stats on malware hosted on websites this morning I saw that Mal/Iframe-N fifth in the overall stats for October.

Looking at the latter part of the month from the 21st (when the detection was published) onwards.

Mal/Iframe-N is clearly first and if the results are extrapolated for the whole month Mal/Iframe-N should have easily beat Mal/Iframe-F into second place!

Late last week, I downloaded:

• 2819 infected URIs infected with Mal/Iframe-N
• hosted on 2294 different domains
• with 163 different TLDs including:

.edu.in
.edu.tr
.edu.tw
.edu.ua
.ej.am
.eng.br
.es
.eu
.fi
.fr
.fr.cr
.ge
.go.th
.gov.br
.gov.pk
.gov.tr
.gr

I have had a few correspondences with other security researchers regarding this threat (see iframes are EVIL! Hate Zeus!) particularly with Unmask Parasites who has gone into more details of this type of threat (see 1, 2) who like me originally thought that the ‘onload’ attribute wasn’t legal in an iframe. Two things changed my mind:

1. Visiting an infected site on a goat machine.
2. The number of infected sites (>40, 000).

In someways the second fact is more persuasive as malware authors don’t tend do things for no reason.

Posted on November 2nd, 2009 by Pob, SophosLabs, UK
Filed under: General, Malware, Web

                                         

Windows 7 security - A great leap forward or business as usual?

Related posts

• Mal/Iframe-N: The next big threat?
• Famous chip shop website battered by malicious Iframe injection
• Anti-virus company Trend Micro: Our website has been hacked, risk of Trojan horse infection
• Conficker Infection Alert!!
• Automated or manual spam “infection”?