"We almost considered not doing a midyear report until mid-March, when we started to see an uptake" in the number of websites hosting malicious content, the researcher, Ron O'Brien, told SCMagazine.com. The number of websites Sophos was blocking for its customers jumped from about 5,000 a day a year ago to 29,700 by spring, he said.
O'Brien added that when Sophos took a "snapshot" of a million websites, only about 20 percent did not contain some form of malware, inappropriate "adult" content such as pornography or gambling or spam-related content. The breakdown: almost 29 percent hosted malware, 28 percent porn or gambling, and 19 percent spam.
Most of those are legitimate websites that have fallen victim to hackers, noted O'Brien. “This harks back to the time when everyone with a small business had to have a website and rushed to put do-it-yourself websites,” he said. “They don't do a lot to maintain those sites, and they have become a breeding ground for the malicious websites we found."
According to O'Brien, this rate of infection tells "owners and hosts of these websites and hosts of websites that they should do everything in their power to bring the situation under control."
Of the malware-containing web server software, the open source Apache product was most-often compromised, according to the report. The fact that 51 percent of all infected websites are on Apache -- 43 percent are on Microsoft's Internet Information Server -- indicates that infection is no longer just a Windows issue, Sophos noted.
The most-common infection? Mal/lframe, which injects malicious code onto web servers, accounted for 49 percent of the infected URLs. Sophos also indicated that the Mal/lframe infection "shows no sign of abating -- in a recent attack, more than 10,000 web pages were infected, the majority on legitimate web pages hosted by one of Italy's largest ISPs."
China is by far and away the No. 1 host of malware-infected web pages, with 54 percent of those on the web. The US is second, with 27 percent, and Russia and Germany distant third and fourth, with 4.5 percent and 3.5 percent, respectively.
Sophos also noted the move of cybercriminals to use PDF attachments with graphical images in their spam to avoid detection by less-sophisticated filtering products.
Hackers have also started taking advantage of Windows' "auto-run" capability to automatically execute malicious code when a removable flash drive is attached to the computer. Examples here included the LiarVB-A worm , which spread information about AIDS and HIV via USB key, and the Hairy worm, claiming that the fictional Harry Potter character was dead.
Finally, although web-based vulnerabilities have eclipsed them, email threats continue "to cause concern for businesses," said Sophos. The company saw more than 8,000 new versions of the Mal/HckPk threat used to disguise widespread email attacks such as Dref and Dorf.
"Looking at the results," Sophos' O'Brien concluded, "it's pretty obvious that without appropriate levels of security, the web is not a safe place to play."
Sophos report: the web ‘dangerous place to play'
By Jim Carr on Jul 26, 2007 9:47AM
A dramatic jump in the number of new malicious websites was not only the major news emerging from Sophos' midyear "security threat report," it was the driving force behind it, according to the company's chief security analyst.
Got a news tip for our journalists? Share it with us anonymously here.