How real is the threat from web-based malware?

As regular readers of this blog will know, I am always looking for ways of measuring the effectiveness of the protection SophosLabs provides. You will also know that there has been a distinct shift towards web based malware, infected or compromised websites hosting malware.

We scan millions of web pages and identify a new infected web page every 14 seconds! We publish this data to our WS1000 web appliance every few minutes. But how much of a threat are these millions of infected and compromised web pages?

Some modifications were recently made to the WS1000 so that it reports back some of this information (for customers that have opted to report the data). We’ve starting analysing the data and I thought I’d share our initial findings.

“¢ 1 in every 206 page requests (0.48%) were blocked as being either a medium or high risk.
“¢ 1 in every 465 page requests (0.22%) were high risk.
“¢ 1 in every 766 page requests (0.13%) were sites known to be hosting malware.

Surprisingly high numbers, and as is always the case, many more questions have been raised than answered:

How are users getting to these sites? Via search engine results or directed to them by spam?
Where are the sites? Are they newly infected sites or sites that have been around for a long time?

We’ll be doing more analysis over the coming weeks to find out more so that we can continue to focus on protection as well as detection.