Mary Landesman at ScanSafe recently reported a script injection attack, and Ryan Naraine picked up the story over on the Zero Day blog. While the initial report describes 55,000 web pages (not web sites as the Zero Day post states) as distributing the payload, it appears that the real number is significantly lower. For example, Google is only reporting 1,105 infected domains that point to the site described in the story. Why the discrepancy? It appears that the attack was flawed, injecting its script code in many cases into the page title or other locations within the HTML that aren’t parsed for scripts by most browsers. In other words, the malicious script has been injected into a web page, but most visitors to the page aren’t at any risk of the script actually running.

Despite the threat being a bit overblown, the fact that many thousands of sites had this malicious code inserted highlights the vulnerability of these sites. It’s not clear what the infection vector was, though based on a very preliminary sample, it does not appear to be platform-specific, indicating it might be a result of local malware on the computers of the sites’ owners/webmasters.

Niels from Google’s security team posted some updated detection stats over on the team’s blog:

As we mentioned in our Top-10 Malware Sites blog post, we have seen a large increase in the number of compromised sites since April. The number of entries on our malware list has more than doubled in one year, and we have seen periods in which 40,000 web sites were compromised per week. However, compared to infections associated with Gumblar and Martuz — two relatively large and well-known pieces of malicious code, many compromised web sites now point to hundreds of different domains. As these malware trends evolve, we’re constantly improving our systems to better detect compromised web sites. The increase in compromised sites we observed may have also been influenced by our improved detection capabilities.

Google’s significant increase in detection, along with our addition of Sunbelt Software as a data partner, means our Clearinghouse now holds nearly 420,000 actively reported badware URLs.

Niels also mentions another interesting data point, the percentage of Google searches that contain at least result that Google has flagged as bad, currently around 0.75%. The percentage has dropped since early last year, but has recently begun creeping back up, likely because of the increase in detected badware sites.

We are looking for interns to work in our office in Cambridge, MA. We have a couple openings for website testers to evaluate sites for badware code (JavaScript knowledge required), and another opening for someone interested in conducting a research project to help map out the threats and stakeholders involved in Web-based malware and its prevention.

Descriptions of both positions can be found here.