Malware Maelstrom Coming from Russia with Love

Security vendors note the rise of malware threats from Russia.

A resurgence of malware activity in Russia has caught the eye of security vendors.

Recently, researchers at Trend Micro have found a Russian server hosting some 400 pieces of malware that may be part of a forthcoming large-scale attack, while at least one other vendor reported that the country has quickly moved back up on the list of purveyors of Web-based malware.

Paul Ferguson, network architect at Trend Micro, in Cupertino, Calif., said the company ran across the server, which had a "cornucopia of new malware," the week of July 23. During an investigation, researchers found there were Web sites with malicious iFrames proxying requests for the malware. The Web sites all had Italian-sounding names and Italian content, but actually resided in a hosting facility in Germany, he said.

An iFrame is an HTML element that makes it possible to embed another HTML document inside the main document. In this case, the iFrames are believed to have been deliberately inserted by the owners of the Web sites to snare unsuspecting visitors as part of a porn-for-pay scam, Ferguson said.

"Looking at these massive samples of malware, we cant help [but] think that theres something brewing in Russia," wrote researcher Carolyn Guevarra in a blog posting on Trend Micros Web site. "We have just seen these cyber-criminals pull the Italian Job recently."

The operation dubbed "the Italian Job" by Trend Micro researchers involved some 10,000 Web sites with malicious code that redirected visitors to a server booby-trapped with drive-by exploits. The attack used Italian Web sites more than others.

/zimages/5/28571.gifClick here to read about a survey that shows how pervasive malware distribution has become.

Researchers at Sophos, headquartered in Abingdon, England, have also reported a rise in Web-based malware from Russia. The companys experts noted in a report about the top 10 Web and e-mail-borne threats for July 2007 that the number of malware-infected Web pages hosted by Russia has increased substantially between June and July, jumping from 3.5 to 14.7 percent.

"This can be explained by the large number of Mal/iFrame and Mal/ObfJS-infected Web pages in Russia that have been compromised to serve as drive-by sites," the report said.

The Sophos report put China at the top of the list with 49.8 percent and the United States in second place with 21.8 percent.

Malware numbers are growing rapidly, in particular adware, spyware and stealthy, targeted attacks, according to officials at McAfee, headquartered in Santa Clara, Calif. In 2000, McAfee Avert Labs counted about 50,000 unique malicious items. That jumped to 100,000 in 2003, and in August 2006, the 200,000 mark was reached. McAfee officials said they expect to see the 300,000th unique piece of malicious software, such as worms, viruses or Trojans, this week.

"This statistic underscores how the malware market has shifted from fame to fortune," said Dave Marcus, security research and communications manager for McAfee Avert Labs. "Bots, adware, spyware and other attacks make up an over $100 billion global market for cyber-crime—surpassing drug trafficking as a global issue from a monetary perspective."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.