Sophos has published new research into the first six months of cybercrime in 2007.  The Sophos Security Threat Report examines existing and emerging security trends and has identified a sharp rise in the number of web threats, as well as the countries and server types hosting the most infected sites.

“The first half of 2007 has seen an explosion in threats spread via the web, which has now taken over from email as the preferred vector of attack for financially motivated cybercriminals,” says Brett Myroff, CEO of master Sophos distributor, NetXactics.
In June alone, Sophos's global network of monitoring stations uncovered a record number of infected webpages – approximately 29 700 – each day.  In contrast, earlier in 2007, the number of malicious pages detected stood as low as just 5,000 per day.
Taking a snapshot of just 1-million of those webpages, experts found that 28.8% were hosting malware.  A further 28% were blocked due to the adult nature of their content, most commonly because they were pornography or gambling sites.  Pages set up by spammers accounted for 19.4% and 4.3% were classed as illegal sites, for instance, they were peddling pirated software or were phishing sites.
Of the websites containing malicious code, just one in five had been designed specifically for malicious activity, with the remaining 80% made up of legitimate sites that have fallen victim to hackers.
By compromising a single file on a web server, cybercriminals can easily and quickly cross-contaminate a huge number of websites, as the infected file may form part of a plethora of unrelated pages, all of which are published from the same server.
The breakdown of the world's top server types affected by web threats in the first six months of 2007 reads as follows:
1 – Apache: 51%
2 – Microsoft IIS 6: 34%
3 – Microsoft IIS 5: 9%
5 – nginx: 3%
6 – Other: 3%
The fact that more than half of all infected web pages were hosted on Apache servers demonstrates that infection is not simply a Windows problem.
Earlier this year, during a global ObfJS attack, in which legitimate sites were compromised so that they could serve up a malicious code, 98% of affected servers were running Apache – many of which were hosted on UNIX rather than Windows platforms.
With 80% of all infected webpages found on legitimate sites, it begs the question as to why web hosts are not taking the necessary steps to properly secure their servers.  
"Simple measures such as keeping up to date with security patches will go a long way towards thwarting this problem – the fewer holes in server setups, the lower the risk of infection,” Myroff says.
“Web hosts that are currently not behaving responsibly must bite the bullet and take better care of their sites.  Using Apache on your web server doesn't ensure bullet-proofing from hackers trying to plant malicious code on your site.  It will be a wake-up call for some that malware is not just a Microsoft problem."
The top ten list of web-based malware hosted on these infected sites during the first six months of 2007 reads as follows:
1 – Mal/Iframe: 49.2%
2 – Troj/Fujif: 7.9%
3 – JS/EncIFra: 7.3%
4 – Troj/Psyme: 8.3%
5. – Troj/Decdec: 6.9%
6 – Troj/Ifradv: 4.1%
7 – Mal/ObfJS: 2.5%
8 – Mal/Packer: 1.5%
9 – VBS/Redlof: 1.1%
10 – Mal/FunDF: 0.9%
Other: 10.3%
Mal/Iframe, which works by injecting malicious code onto web pages, dominates this chart, accounting for almost half of the world's infected URLs.  Furthermore, it shows no sign of abating – in a recent potent attack, more than 10 000 web pages were infected, the majority of which were on legitimate webpages hosted by one of Italy's largest ISPs.
Mal/Iframe is a textbook example of a spawning web threat that targets and exploits vulnerable sites regardless of whether the content is about pottery or pornography.  "Web security solutions must go beyond blocking websites based simply on category – a gambling site may seem more of a threat, but sometimes the most innocuous sounding site can pose the greatest danger,” Myroff adds.
The top ten list of countries hosting malware-infected web pages during the first half of 2007 reads as follows:
1 – China: 53.9%
2 – United States: 27.2%
3 – Russia: 4.5%
4 – Germany: 3.5%
5 – Ukraine: 1.2%
6 – France: 1.1%
7 – Canada: 0.8%
8 – United Kingdom: 0.7%
9 – Taiwan: 0.6%
9 – South Korea: 0.6%
Other: 5.9%
China, which at the end of 2006 hosted just over a third of all malware, has now overtaken the US, and in the first six months of 2007 was responsible for hosting more than half of all web threats reported to Sophos in this period.  China's dramatic rise in the chart is primarily due to widespread Mal/Iframe infections on Chinese hosted web pages.  In fact, more than 80% of the country's compromised web pages are infected with this malware.
The first half of 2007 has seen a resurgence in the spread of malware via removable drives – no longer the floppy disk that was the vector of virus distribution in the early 1990s – but USB memory sticks.  Using this method, hackers are able to take advantage of users who have "auto-run" enabled on their Windows PC to automatically execute code as soon as the stick has been attached to the computer.  A notable example this year is the LiarVB-A worm which spread information about AIDS and HIV via USB keys.
USB sticks are a growing concern for businesses. They are cheap and being mass produced.  "Users must be aware of risks of unknown drives – even when newly purchased, as you never know what you might be plugging into your network."
Another new tactic employed by cybercriminals during this period has been the use of attachments in spam messages.  To avoid detection by less sophisticated gateway filtering products, there is a growing trend for spammers to use PDF files carrying a graphical version of their marketing message, in their attempt to reach potential customers.
Email threats continue to cause concern for businesses and, although they have become eclipsed by web-based threats, the actual amount of email-borne malware has remained constant during the past year.  The proportion of infected email during the first half of 2007 was 1 in 337, or 0.29% of all messages.  More than 8,000 new versions of the Mal/HckPk threat were seen during 2007, as it was used to disguise widespread email attacks like Dref and Dorf.