Ask Sucuri: What is the most common type of malware out there?

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here.

Question: What is the most common type of malware (on web sites) that you find?

Unfortunately the answer to this question changes every few months. For the months of February and March (2011), we scanned more than 200,000 web sites (211,520 to be more precise) and almost half of those sites had some type of malware (A high percentage of users scanning sites via our scanners are already infected or suspect some type of funny business with their web property).

To be exact, 90,870 (around 42%) had some type of malware. This is the breakdown (some may have more than 1 issue identified, so the numbers may not add up):

20,032 http://sucuri.net/malware/entry/MW:IFRAME:HD202
(generic hidden iframe)
18,600 http://sucuri.net/malware/entry/MW:SPAM:SEO
(blackhat spam seo)
14,660 http://sucuri.net/malware/malware-entry-mwjs1240
(oscommerce related malware)
9,210 http://sucuri.net/malware/malware-entry-mwjs488
(.co.cc type of malware)
4,054 http://sucuri.net/malware/malware-entry-mwjs612
(more oscommerce related malware)
3,065 http://sucuri.net/malware/entry/MW:BLK:2
(remote include of blacklist site – cross- site warning)
2,082 http://sucuri.net/malware/entry/MW:HTA:7
(.htaccess modified)
2,058 http://sucuri.net/malware/malware-entry-mwgdd5
2,023 http://sucuri.net/malware/entry/MW:JS:150
1,076 http://sucuri.net/malware/entry/MW:JS:152
1,044 http://sucuri.net/malware/entry/MW:IFRAME:HD28
8,09 http://sucuri.net/malware/entry/MW:RKS:4
8,04 http://sucuri.net/malware/entry/MW:OSCOM:1
707 http://sucuri.net/malware/malware-entry-mwiis4
703 http://sucuri.net/malware/entry/MW:GDD:3
603 http://sucuri.net/malware/entry/MW:GDD:4
506 http://sucuri.net/malware/entry/MW:DEFACED:01
503 http://sucuri.net/malware/entry/MW:JS:GEN2
309 http://sucuri.net/malware/entry/MW:JS:151
302 http://sucuri.net/malware/entry/MW:MROBH:3
209 http://sucuri.net/malware/entry/MW:JS:445
206 http://sucuri.net/malware/malware-entry-mwjs611
205 http://sucuri.net/malware/entry/MW:RKS:3
203 http://sucuri.net/malware/entry/MW:JS:431
201 http://sucuri.net/malware/malware-entry-mwjs518
108 http://sucuri.net/malware/malware-entry-dwfcc-co-cc
107 http://sucuri.net/malware/entry/MW:JS:223
107 http://sucuri.net/malware/entry/MW:JS:222
107 http://sucuri.net/malware/entry/MW:IFRAME:HD37
103 http://sucuri.net/malware/malware-entry-mwjs817
103 http://sucuri.net/malware/malware-entry-mwiframehd203

As you can see our generic rule to catch hidden iframes was the most popular, followed by Blackhat SEO Spam. After that, we got a lot of web sites infected with oscommerce-related malware, “Hilary Kneber” and a few others… You can copy and paste any of the above domains to get more details.

We will do this breakdown every few months to see how those numbers are changing.

Have a question or a comment? Make sure to ask below :)

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.