Mal/Iframe-N: Another winning infection?

Filed Under: Malware, SophosLabs

Back in May, we posted some stats on the Mal/Iframe-N: The next big threat?. Looking through our stats on malware hosted on websites this morning I saw that Mal/Iframe-N fifth in the overall stats for October.

Looking at the latter part of the month from the 21st (when the detection was published) onwards.

Mal/Iframe-N is clearly first and if the results are extrapolated for the whole month Mal/Iframe-N should have easily beat Mal/Iframe-F into second place!

Late last week, I downloaded:

  • 2819 infected URIs infected with Mal/Iframe-N
  • hosted on 2294 different domains
  • with 163 different TLDs including:

.edu.in
.edu.tr
.edu.tw
.edu.ua
.ej.am
.eng.br
.es
.eu
.fi
.fr
.fr.cr
.ge
.go.th
.gov.br
.gov.pk
.gov.tr
.gr

I have had a few correspondences with other security researchers regarding this threat (1, 2) who like me originally thought that the 'onload' attribute wasn't legal in an iframe. Two things changed my mind:

  1. Visiting an infected site on a goat machine.
  2. The number of infected sites (>40, 000).

In someways the second fact is more persuasive as malware authors don't tend do things for no reason.

,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s