Hack Attack: 9,500 new infected web pages every day, reports Sophos

June 01, 2007 Sophos Press Release

Sophos, a world leader in IT security and control, has revealed the most prevalent malware threats causing problems for computer users around the world during May 2007.

The figures compiled by Sophos's global network of monitoring stations show that infected web pages continue to pose a threat, affecting official government websites as well as other legitimate pages. On average this month, Sophos uncovered 9,500 new infected web pages daily - an increase of more than 1000 every day when compared to April. In total, 304,000 web pages hosting malicious code were identified in May.

The top ten list of web-based malware threats in May 2007 reads as follows:

Position Malware Percentage
1 Mal/Iframe
65.5%
2 JS/EncIFra
6.9%
3 Troj/Decdec
6.5%
4 Troj/Fujif
3.7%
5 Troj/Ifradv
3.0%
6 VBS/Redlof
2.2%
7 Mal/ObfJS
1.8%
8 Troj/Psyme
1.2%
9 VBS/Roor
1.0%
10 VBS/Soraci
0.9%
Others 7.3%

Iframe, which works by injecting malicious code onto legitimate web pages, continues to dominate the chart, accounting for almost two thirds of all web-based threats in May. The three newcomers, Redlof, Roor and Soraci, are all appending viruses, infecting, amongst others, HTM, HTML and HTT files. The appearance of these relatively old viruses (for example, Sophos has provided protection against Soraci for two years), in the chart illustrates that many web administrators are failing to keep their websites safe from hackers intent on compromising their pages.

"Attacks spreading on the web are becoming more frequent and more problematic for businesses every month," explained Carole Theriault, senior security consultant at Sophos. "Malicious sites don't need to host malware to be dangerous - we are also seeing and blocking access to 600 new phishing pages each day".

"It's no longer enough for businesses simply to filter websites based on category - the real nasty attacks are most often found lurking on legitimate web pages," continued Theriault. "This is a wake up call for organizations with a website: being out of date with patches and running inadequate security has very real risks."

The top ten list of countries hosting malware-infected web pages in May 2007, reads as follows:

Position Country Percentage
1 China (inc.Hong Kong)
53.2%
2 United States
27.4%
3 Germany
5.1%
4 Russia
3.5%
5 Thailand
1.1%
6 Ukraine
1.0%
7 United Kingdom
0.9%
8 Taiwan
0.8%
9 Canada
0.6%
10 South Korea
0.5%
Others 5.9%

China, responsible for hosting more than 50 percent of infected web pages identified by Sophos, has retained its position at the top of the chart. The country's continued dominance is largely down to increased reports of Iframe, which has been widely reported on unprotected Chinese web pages.

Thailand has entered the chart for the first time at number five. Sophos research found that many of the infected web pages hosted in Thailand are on government websites that have been infected by malware.

"The fact that malware is being found on legitimate government websites shows again that any organisation can be hit if it is not vigilant," said Theriault. "Web surfers need to be careful too - they are the ones that these sites are targeting: be wary of spam which entices you to click on web links, even if the link looks legitimate. Keep your anti-virus and security patches up to date, and talk to your administrator or ISP about blocking access to infected websites."

The top ten list of email-based malware threats in May 2007 reads as follows:

Position Last
month
Malware Percentage of reports
1 Re-entry W32/Sober
29.0%
2 1 W32/Netsky
26.9%
3 3 W32/Mytob
13.1%
4 4 W32/Stratio
6.1%
5 7 W32/MyDoom
4.1%
6 5 W32/Zafi
3.9%
7= New Mal/Behav
3.8%
7= 6 W32/Sality
3.8%
9 8 W32/Bagle
3.3%
10 9 W32/Nyxem
1.8%
Others 4.2%

In May, Sober was the most prevalent email-borne attack, toppling Netsky from its top position and accounting for almost one third of all threats. Sober's dominance in the chart is primarily due to a huge outbreak on May 1st that coincided with May Day across Europe. During this 24-hour period, Sober accounted for nearly 70 percent of all infected email identified by Sophos.

A graphic of the top ten email-based malware chart is available.

The top ten hoaxes and chain letters in May were as follows:

Position Hoax Percentage of reports
1 Hotmail hoax
11.1%
2 Olympic torch
10.0%
3 A virtual card for you
8.2%
4 Great Gas-Out
4.1%
5 MSN is closing down
3.4%
6 Bonsai kitten
2.9%
7 Meninas da Playboy
2.8%
8 Justice for Jamie
2.6%
9 Bill Gates fortune
2.0%
10 Budweiser frogs screensaver
1.9%
Others 51.0%