Sophos Security Threat Report reveals record number of new web-borne threats in 2007

July 25, 2007 Sophos Press Release

Sophos, a world leader in IT security and control, has published new research into the first six months of cybercrime in 2007. The Sophos Security Threat Report - which can be downloaded here - examines existing and emerging security trends and has identified a sharp rise in the number of web threats, as well as the countries and server types hosting the most infected sites.

The first half of 2007 has seen an explosion in threats spread via the web, which has now taken over from email as the preferred vector of attack for financially motivated cybercriminals. Indeed, in June alone Sophos's global network of monitoring stations uncovered a record number of new infected webpages - approximately 29,700 - each day. In contrast, earlier in 2007, the number of malicious pages detected stood as low as just 5,000 per day.

Blocked pages under the microscope

Sophos blocks access to millions of webpages to protect customers from malware and inappropriate content. Taking a snapshot of just one million of those blocked webpages, experts found that 28.8 percent were blocked because they were hosting malware. A further 28.0 percent were blocked due to the adult nature of their content, most commonly because they were pornography or gambling sites.


Snapshot of a million webpages blocked by Sophos - breakdown by category.

Pages set up by spammers accounted for 19.4 percent of those blocked by Sophos and 4.3 percent were classed as illegal sites, for instance, they were peddling pirated software or were phishing sites. Of the websites containing malicious code, just one in five had been designed specifically for malicious activity, with the remaining 80 percent made up of legitimate sites that have fallen victim to hackers.

Apache is the most compromised server

By compromising a single file on a web server, cybercriminals can easily and quickly cross-contaminate a huge number of websites, as the infected file may form part of a plethora of unrelated pages, all of which are published from the same server.

The breakdown of the world's top server types affected by web threats in the first six months of 2007 reads as follows:


Top web server software hosting malware.

The fact that more than half of all malware-infected webpages were hosted on Apache servers demonstrates that infection is not simply a Windows problem. Earlier this year, during a global ObfJS attack, in which legitimate sites were compromised so that they could serve up a malicious code, 98 percent of affected servers were running Apache - many of which were hosted on UNIX rather than Windows platforms.

"With a whopping 80 percent of all infected webpages found on legitimate sites, it begs the question as to why web hosts are not taking the necessary steps to properly secure their servers," said Graham Cluley, senior technology consultant at Sophos. "Simple measures such as keeping up to date with security patches will go a long way towards thwarting this problem - the fewer holes in server setups, the lower the risk of infection. Web hosts that are currently not behaving responsibly must bite the bullet and take better care of their sites. Just using Apache on your web server doesn't mean you are now bullet-proof from hackers trying to plant malicious code on your site. It will be a wake-up call for some to see that malware is not just a Microsoft problem."

Top web-based threats of 2007 - so far

The top ten list of web-based malware hosted on these infected sites during the first six months of 2007 reads as follows:

PositionMalwarePercentage of reports
1 Mal/Iframe
49.2%
2 Troj/Psyme
8.3%
3 Troj/Fujif
7.9%
4 JS/EncIFra
7.3%
5 Troj/Decdec
6.9%
6 Troj/Ifradv
4.1%
7 Mal/ObfJS
2.5%
8 Mal/Packer
1.5%
9 VBS/Redlof
1.1%
10 Mal/FunDF
0.9%
Others 10.3%

View a graphic of the above chart.

Mal/Iframe, which works by injecting malicious code onto web pages, dominates this chart, accounting for almost half of the world's infected URLs. Furthermore, it shows no sign of abating - in a recent potent attack, more than 10,000 web pages were infected, the majority of which were on legitimate webpages hosted by one of Italy's largest ISPs.

"Mal/Iframe is a textbook example of a spawning web threat that targets and exploits vulnerable sites regardless of whether the content is about pottery or pornography," continued Cluley. "Web security solutions must go beyond blocking websites based simply on category - a gambling site may seem more of a threat, but sometimes the most innocuous sounding site can pose the greatest danger."

Most infected webpages hosted in China

The top ten list of countries hosting malware-infected web pages during the first half of 2007 reads as follows:

PositionCountryPercentage of reports
1 China
53.9%
2 United States
27.2%
3 Russia
4.5%
4 Germany
3.5%
5 Ukraine
1.2%
6 France
1.1%
7 Canada
0.8%
8 United Kingdom
0.7%
9= Taiwan
0.6%
9= South Korea
0.6%
Others 5.9%

View a graphic of the above chart.

China, which at the end of 2006 hosted just over a third of all malware, has now overtaken the US, and in the first six months of 2007 was responsible for hosting more than half of all web threats reported to Sophos in this period. China's dramatic rise in the chart is primarily due to widespread Mal/Iframe infections on Chinese hosted web pages. In fact, more than 80 percent of the country's compromised web pages are infected with this malware.

Hackers turn to PDFs and removable drives to commit cybercrimes

The first half of 2007 has seen cybercriminals using attachments in spam messages. To avoid detection by less sophisticated gateway filtering products, there is a growing trend for spammers to use PDF files carrying a graphical version of their marketing message, in their attempt to reach potential customers.

Hackers have also taken advantage of users who have "auto-run" enabled on their Windows PC to automatically execute malicious code as soon as an infected removable flash drive is connected to the computer. Notable examples this year were the LiarVB-A worm which spread information about AIDS and HIV via USB keys, and the Hairy worm which claimed that teen wizard Harry Potter was dead. However, neither threat became widespread and both could be protected against using up-to-date anti-virus software at the desktop.

Email still a cause for concern

Email threats continue to cause concern for businesses and, although they have become eclipsed by web-based threats, the actual amount of email-borne malware has remained constant during the past year. The proportion of infected email during the first half of 2007 was 1 in 322, or 0.29 percent of all messages. More than 8,000 new versions of the Mal/HckPk threat were seen during 2007, as it was used to disguise widespread email attacks like Dref and Dorf.

Much more information about the latest trends in malware, spyware and spam can be found in the report, which can be downloaded from the Sophos website: