.ru was last month's most abused ccTLD for malware hosting

Jun 17, 2010 14:37 GMT  ·  By

Avira reports that the number of PDF documents rigged with malware rose by 50 percent in May compared with the previous month. Data gathered by the company also reveals that .ru was the preferred country code TLD for hosting malware and that .br had the largest number of phishing websites.

According to the German antivirus vendor, the most abused file extensions were exe, txt, php, jpg, dll, pdf, gif and com, while 31% of all malicious files detected had no extension at all. Even though the infected PDF documents represented only 1.20% of the total number, the increase compared with April was considerable – 52.14%. So were the monthly deviations for cmd (66.67%), ocx (56.25%) or swf (43.30%).

As far as domain TLD abuse goes, .com leads by far in both the phishing and malware hosting categories with 49.9% and 44.53%, respectively, although these numbers actually represent a decrease over the previous month. As expected, .com is followed in the stats by .net and .org, but the most interesting changes were registered for the country code TLDs.

While .kr (South Korea) dominated in both sections during April, this month, the .kr abuse registered major drops of 246.22% for phishing sites and of 27.72% for malware, leaving the lead to .br (Brazil) and .ru (Russia). "A big increase [of almost 100%] is noticeable in the usage of plain IP addresses," Avira's Manager of International Software Development, Sorin Mustaca, points out.

PayPal retains its domination in the stats for the most phish brands, being the target of 44.99% of registered attacks. The top five is completed by Ebay (16.05%), HSBC Bank (12.04%), Facebook (5.33%) and Bank of America (2.09%).

Finally, when it comes to spam, the preferred category for May was online pharmacy, which accounted for 13.37% of all junk email. This was followed by replica watches (7.34%), fake university degrees (7.26%), Nigerian 4190-like scams (2.80%) and loans (2.63).