Malware-URL Extension Statistics January 2010

We like to introduce statistics about the file extensions which get used in malware URLs that are embedded in emails for example or are used on infected websites. We will publish these statistics on a monthly basis from now on.

An URL can point to a file having an extension or to a complete domain that  has some kind of server side code which drops a file on the visitor’s computer. The ‘none’ file type below means that the URL represents actually a domain. Note that even if a file has an usually harmless extension (like ‘.txt’), it doesn’t actually mean that this file is really a text file – it only has the innocent extension in order to fool the user to download it and execute it.

Overall file extensions used:

# Extension % Variation from
December
in %
1 exe 53.29 44.65
2 none 18.99 -42.62
3 txt 10.37 31.66
4 php 6.56 -24.46
5 rar 2.71 79.88
6 jpg 1.38 -25.50
7 htm 1.23 -102.89
8 gif 1.07 21.85
9 html 0.89 -63.72
10 pdf 0.62 72.61
11 zip 0.56 21.99
12 com 0.49 -166.94
13 pl 0.47 -9.17
14 asp 0.40 -125.74
15 dll 0.36 -38.89
16 dat 0.16 50.00
17 swf 0.14 -38.89
18 css 0.11 -7.41
19 js 0.09 -145.83
20 png 0.04 -63.64
21 aspx 0.04 -1188.89
22 ocx 0.02 40.00
23 cmd 0.004 -100.00
24 bat 0.004 -300.00
25 jsp 0.000 0.00

Red values are negative, green ones positive.

Sorted by deviation from December 2009:

# Extension %
1 rar 79
2 pdf 72
3 dat 50
4 exe 44
5 ocx 40
6 txt 31
7 zip 21
8 gif 21
9 jsp 00
10 css -07
11 pl -09
12 php -24
13 jpg -25
14 swf -38
15 dll -38
16 none -42
17 png -63
18 html -63
19 cmd -100
20 htm -102
21 asp -125
22 js -145
23 com -166
24 bat -300
25 aspx -1188

We also have a pie chart about the extensions used:

Sorin Mustaca
Manager International Software Development