Back in May, we posted some stats on the Mal/Iframe-N: The next big threat?. Looking through our stats on malware hosted on websites this morning I saw that Mal/Iframe-N fifth in the overall stats for October.
Looking at the latter part of the month from the 21st (when the detection was published) onwards.
Mal/Iframe-N is clearly first and if the results are extrapolated for the whole month Mal/Iframe-N should have easily beat Mal/Iframe-F into second place!
Late last week, I downloaded:
- 2819 infected URIs infected with Mal/Iframe-N
- hosted on 2294 different domains
- with 163 different TLDs including:
I have had a few correspondences with other security researchers regarding this threat (1, 2) who like me originally thought that the ‘onload’ attribute wasn’t legal in an iframe. Two things changed my mind:
- Visiting an infected site on a goat machine.
- The number of infected sites (>40, 000).
In someways the second fact is more persuasive as malware authors don’t tend do things for no reason.