In early October 2007, StopBadware.org, an initiative developed to combat malware—what it calls badware—released its analysis of current online threats. Among its key findings was the identification of the two top methods for compromising Web sites in 2007: iframe and JavaScript exploits.

According to the organization, iframe exploits—which load malicious pages in frames inside otherwise benign pages—and JavaScript browser exploits are based on injecting new code into the source code of a Web site.

"An iframe can be made so small that it is invisible, and the visitor to the infected page never knows that another page is also loading in the tiny iframe window," its report says. "Hidden iframes are most commonly inserted at the very top or the very bottom of a Web page’s source code."

And when JavaScript is used to spread malware, it is often encoded or encrypted to make its maliciousness difficult to detect, StopBadware says. But do not become automatically suspicious of all encoded JavaScript, as it does have its legitimate purposes. However, it is a good starting point for inspection of an allegedly compromised Web site, if you know what to look for, according to the organization.

StopBadware says these blocks of encrypted JavaScript can be easy to spot, as common techniques will create strings:

• Of percent signs with two characters after them (e.g. %AA%BB%CC)
• That consist of "\u" with four characters after (e.g. \u0048\u0069\u0021)

These blocks of encoded text can take up several paragraphs but are harder to find, because there are no set patterns, as encrypted code will look like a block of unintelligible text, according to the organization. Normal JavaScript uses a syntax based on actual English words while encrypted text appears in site source code as completely indecipherable letters, numbers, and symbols, StopBadware says.

Script exploits like StopBadware's example of a JavaScript attack can be blocked by the Malicious Code Protector technology built into the Check Point Web Intelligence intrusion prevention system.

Its report also points out that malware infection can occur simply by browsing a Web site or clicking on links posted to blogs or social networks. Many of the Web sites that distribute malware are normally benign sites that have been compromised without the knowledge of the owner, according to the organization.

"The trends are worrisome," says Jonathan Zittrain, StopBadware co-director. "It's becoming commonplace for mainstream Web sites to be hacked so that they infect visiting computers. Webmasters are not fully aware of the risks."

The Trends in Badware report goes on to provide visual examples of the most common threats, as well as some that may not immediately be suspect. StopBadware based its malware analysis on research using data from hundreds of thousands of infected Web sites over the past year.