Back in May, we posted some stats on the Mal/Iframe-N: The next big threat?. Looking through our stats on malware hosted on websites this morning I saw that Mal/Iframe-N fifth in the overall stats for October.
Looking at the latter part of the month from the 21st (when the detection was published) onwards.
Mal/Iframe-N is clearly first and if the results are extrapolated for the whole month Mal/Iframe-N should have easily beat Mal/Iframe-F into second place!
Late last week, I downloaded:
- 2819 infected URIs infected with Mal/Iframe-N
- hosted on 2294 different domains
- with 163 different TLDs including:
.edu.in
.edu.tr
.edu.tw
.edu.ua
.ej.am
.eng.br
.es
.eu
.fi
.fr
.fr.cr
.ge
.go.th
.gov.br
.gov.pk
.gov.tr
.gr
I have had a few correspondences with other security researchers regarding this threat (1, 2) who like me originally thought that the 'onload' attribute wasn't legal in an iframe. Two things changed my mind:
- Visiting an infected site on a goat machine.
- The number of infected sites (>40, 000).
In someways the second fact is more persuasive as malware authors don't tend do things for no reason.
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
