The majority of Web sites serving up attack code are legitimate domains that have been hacked by criminals, according to data compiled by security vendor Websense.
It is the first time that legitimate sites outnumber the malicious ones hackers purposefully set up to spread malware.
Websense found 51% of the sites it classified as malicious in the second half of 2007 had been compromised and then seeded with attack code that infected unpatched machines visiting the URLs. The remaining 49% were "intentionally built for malicious intent," the Websense report said.
Hacking legitimate sites to make them push malware gives attackers instant advantages, said Dan Hubbard, Websense's vice president of security research.
"It's a great vector because they don't need to drive users to the sites in many cases; they also get free hosting, of course, and [it's] hard to trace ownership," Hubbard said. "Additionally, if someone is allowing access based on reputation, then they may go undetected."
Among the legitimate sites that have been hacked are those of Dolphin Stadium and the Miami Dolphins American football team and Bank of India, one of that country's largest banks.
The trend is accelerating, said Hubbard, who noted that the last report estimated that the number of hacked legitimate domains was in the mid-30% range.
A significant number of the sites are compromised by the multi-exploit tool kits made infamous by Mpack and Neosploit. Websense estimates that 19%, or about one in five, of malicious sites were created or compromised using such tool kits.
"Exploit tool kits are being utilised more than ever," Hubbard said. "This can be a sign of increased sharing or increased numbers of sites that the same groups are attacking and infecting successfully."