US servers host most of the world's malicious code - despite the claims of China, Russia or eastern European countries. That's according to security vendor Finjan after analysis of more than 10 million URLs.
The data was collected from live end-user traffic in the UK using Finjan's content inspection engines, said Yuval Ben-Itzhak, CTO of Finjan. Unlike some other studies, which look at domain names to make assumptions on where a server is based, Finjan's research tracked each IP address to its exact geographical location, Ben-Itzhak said.
"Most people think of Russia and China when you talk about malicious code," he said, "However, it appears this fact is no longer valid. What we found was that about 80 percent of the malicious code comes from servers hosted in the US"
The other top countries hosting malicious code are the UK, with 10 percent, and Canada, Germany and Italy, Ben-Itzhak said. "The results of this study shatter the myth that malicious code is primarily being hosted in countries where e-crime laws are less developed."
One of the reasons for the trend could simply be because free web hosting servers are more readily available in North America and Europe than in some other regions, according to Finjan. That makes it more cost-effective for cybercriminals to host malicious code on servers in those countries. In many cases, malicious code also appears to have been hosted on servers offering legitimate content that were compromised by hackers, the report said.
The Finjan report also notes a continued trend towards the appearance of malicious code on legitimate sites frequented by business users and consumers. Unlike in the past, where most malicious code was found on questionable sites such as those hosting porn, users are now just as likely to get infected when visiting finance and travel sites, for instance.
Advertisements containing malicious code continue to be a growing problem, Ben-Itzhak said. The fact that numerous parties - ad agencies, affiliate networks and adware makers - are involved in the delivery chain from advertiser to consumer, makes it an ideal channel to hide spyware and other malware, Ben-Itzhak said.
One recent example was an advertisement for a security program called WinFixer that appeared on Microsoft's Windows Live Messenger in February without the company's consent or knowledge. Similarly, last June, malware contained in a banner advertisement on Myspace managed to infect about one million PCs.
Cybercriminals are also increasingly planting their code in search engine results from Google, Yahoo and MSN, the Finjan report warned.
In most cases, the malicious code that is being distributed are botnets and Trojan programs, the Finjan report said.