On July 6th, we noted that malware-laced ads had plagued PirateBay and other torrent and ROM sites. One of the malware domains involved in those attacks, microsotf.cn, continues to factor prominently in a wave of ongoing compromises believed to be the result of stolen FTP credentials. Current malware domains include:

updatedate.cn
microsotf.cn
trughtsa.com

The attacks use PDF exploits to deliver fake malware alerts to trick victims into purchasing fraudulent software. Generally speaking, signature detection of scareware is fairly decent and this round of attacks is no exception.

What is a bit different about these particular compromises is how Web surfers are encountering the sites. A third - 33% - of all encounters appear to be the result of search engine queries that lead to the tainted websites. Of those, 80% of the searchers used Google, 5% used Yahoo, 3% used Bing and 1% used AOL. The remaining 11% were the result of searches performed on sites that have a search feature but are not an actual search engine.

Typically, search engine queries have resulted (on average) in less than 10% of all Web malware encounters, with the occasional outlier.

An example of an outlier would be the 'search-engine-friendly' attacks in January 2008 in which attackers gained control of a large number of mom & pop style websites. (A website demographic very similar to the current microsotf.cn targets). During the height of that outbreak, searches resulted in 18% of the exposures. Certainly a change in outliers from 18% to 33% doesn't mean a trend is developing, but it is something that bears watching.

Another interesting change involves crosslinks. In the January 2008 compromises, 72% of the encounters were via links included on other websites. In the recent microsotf.cn related compromises, only 30% of the encounters resulted from crosslinks.

Is this an early indicator that website operators are taking a more insular approach? And if so, is it the result of ongoing Web malware attacks?