Sophos Finds 9500 Webpages Hosting Malicious Code Every Day

[Thaising]

Boston (MA) – Sophos has published its security report for May and said that malicious code is spreading through the web at an accelerated pace.

The company claims that it has identified an average of 9500 webpages including malware in May – which is about 1000 pages more than Sophos identified on an average day in April. Including websites that temporarily hosted websites, the security firm identified 304,000 malware sites in May, a spokesperson told TG Daily.

The company estimates that there are currently about 450,000 websites that are infected with malicious code, with the number of potential sites hosting malware hovering around 750,000, we were told.

The Mal/Iframe threat. which injects malicious code onto legitimate web pages, remained on the top of Sophos’ threat ranking, capturing a 65.5% share. JS/EncIFra and Troj/Decdec followed with 6.9% and 6.5%, respectively. All other top-10 threats, including Troj/Fujif¸ Troj/Ifradv, VBS/Redlof, Mal/ObfJS, Troj/Psyme, VBS/Roor and VBS/Soraci, are listed with a share of less than 4%.

"Each month, we are seeing an increase in attacks spreading over the internet, and they continue to cause problems for organizations,” said Ron O’Brien, a security analyst at Sophos. “Malicious sites do not need to host malware to be dangerous. Our Labs are also seeing and blocking access to 600 new phishing pages each day.”

China is still the top-ranked country when it comes to the origin of malware websites. China has a share of 53.2%, followed by the U.S. with 27.4% and Germany with 5.1%.

New on the list is Thailand in position #5 and a share of 1.1%. Sophos noted that “many” of the infected web pages hosted in Thailand are actually on government websites. "It’s a bit worrisome that malware is being found even on legitimate government websites,“ O’Brien said. “It goes to show that any organization can be hit if it is not adequately protected. For those who surf the web, they need to make sure that their anti-virus and security patches are always up-to-date, and they should talk to their administrator or ISP about blocking access to infected websites."

[Cyberstar]

The Mal/Iframe threat. which injects malicious code onto legitimate web pages, remained on the top of Sophos’ threat ranking, capturing a 65.5% share.

Anyone who can spread a little light on this threat - alternatively know links to informative sites. How does this malicious code get injected. Excactly what does it get injected into. How can one detect it on his own sites? What can one do to prevent it?

[cdnvic]

Any site that allows user input (forums, galleries, e-commerce sites, etc) is vulnerable if they allow users the ability to post scripting. Thats why most forums don't let users use scripting in posts (embedding videos and such).

If you run web applications its very important to keep them patched and to learn how to lock them down properly. Many "hacked" sites weren't really broken into, but the doors were left wide open due to permissions being set improperly.

A little intro on the subject:

http://www.spidynamics.com/spilabs/educati...-injection.html

http://www.grc.com/sn/SN-086.htm