Malicious JSRedir-R script found to be biggest malware threat on the web

Research done by experts in SophosLabs has revealed that a new web-based threat has blown all previous web-based malware out of the water, being found six times more often than its nearest rival.

Web-based malware, 6th-13th May 2009

Troj/JSRedir-R accounts for some 42% of all malicious infections found on websites in the last seven days, massively overshadowing its nearest rival – Mal/Iframe-F – at 7%.

Typically, JSRedir-R is found on legitimate websites, hidden behind obfuscated JavaScript, loading malicious content from third-party sites without the user’s knowledge. In the below case, the obfuscated script tries to download dangerous code from a site called

JSRedir-R uses obfuscated JavaScript

High traffic websites which have been hit by the attack include the highly unpleasant 2 Girls 1 Cup viral video site (I’ve never been there, but its Wikipedia entry tells me that I probably would never want to, and neither should you), as reported by SophosLabs at the beginning of the month.

For JSRedir-R to have overtaken the previously seemingly unbeatable Mal/Iframe-F in the web malware charts is quite an event. Users of Sophos security solutions, including our web appliance, are already protected against this threat – but if you use another vendor’s product make sure that you are updated and protecting against JSRedir-R before it drags malicious code onto your desktops.

In addition, if you run a website make sure it is properly hardened to prevent hackers from injecting their malicious code into your pages, or you could be passing an unpleasant pox onto your visitors.

No-one should be in any doubt that the web is the primary vector by which hackers are trying to infect computers today. Our most recent security threat report revealed that we see a new infected webpage every 4.5 seconds – that’s three times more than the rate in 2007 – and it doesn’t look like things are getting any better.

Update: Read the blog entry from Paul Baccas of Sophos to read more about how this malware is being planted, and how to clean-up your website afterwards.