For the fourth month in a row, HTML/ScrInject.B continues to dominate malware statistics based on
ESET Live Grid® - a cloud-based malware collection system utilizing data from users of ESET solutions worldwide. Its recorded global infection rate was 5.60% globally (6.20% in Europe), up in both instances. INF/Autorun was the number two threat with 5.19% rate of infection (third in Europe with 4.38%),
with a strong rebound as well. Number three malware worldwide was HTML/Iframe with 3.95%
(number two in Europe with 4.66%).
HTML/ScrInject.B is a generic detection of HTML web pages containing an obfuscated script or iframe tag that automatically redirects the user to the malware download, while INF/Autorun represents a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives) are accessed by a Windows PC user. HTML/Iframe.B denotes a generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location containing malicious software.
This month, there were four newcomers into to the global top ten: JS/Agent and JS/IFrame (both with more than 2% infection rate) and both trojans. JS/Agent is a generic detection name for various kinds of malicious JavaScripts found on compromised webpages. JS/Iframe redirects the browser to a specific URL location loaded with malicious software. The program code of this forms of malware is usually embedded in HTML pages. Other newcomers are Win32/Sirefef - a trojan that redirects results of online search engines to web sites that contain adware; and JS/Redirector trojan that redirects the browser to a specific URL location with malicious software.
Global Threats According to ESET Live Grid® Statistics (March 2012)
Threats in Europe According to ESET Live Grid® Statistics (March 2012)
JS/IFrame and JS/Agent both made the news on security blogs last month. "Even visiting security-oriented websites can sometimes be risky. If you’ve visited the security blog zerosecurity.org in March and you are also a user of ESET’s security products, you might have encountered an anti-virus alert," says ESET Security Intelligence Team Lead Robert Lipovsky. "Typically, these techniques are used in drive-by downloads, where a user ends up inadvertently and unknowingly downloading and running malicious code when browsing a (even legitimate) website," he adds. It should be noted, that the administrator of zerosecurity.org responded very promptly after being contacted by ESET and removed the malicious code from the websites. "Similar compromises can happen to any of us and, as has been documented before, they occasionally do. The most probable explanation for this particular case would be WordPress exploitation, which has been on the rise recently," concludes Lipovsky.