Mal/Iframe-N: Another winning infection?

Back in May, we posted some stats on the Mal/Iframe-N: The next big threat?. Looking through our stats on malware hosted on websites this morning I saw that Mal/Iframe-N fifth in the overall stats for October.

Looking at the latter part of the month from the 21st (when the detection was published) onwards.

Mal/Iframe-N is clearly first and if the results are extrapolated for the whole month Mal/Iframe-N should have easily beat Mal/Iframe-F into second place!

Late last week, I downloaded:

  • 2819 infected URIs infected with Mal/Iframe-N
  • hosted on 2294 different domains
  • with 163 different TLDs including:

I have had a few correspondences with other security researchers regarding this threat (1, 2) who like me originally thought that the ‘onload’ attribute wasn’t legal in an iframe. Two things changed my mind:

  1. Visiting an infected site on a goat machine.
  2. The number of infected sites (>40, 000).

In someways the second fact is more persuasive as malware authors don’t tend do things for no reason.