Much like the bot software they install, SQL injection and similar Web attacks force victim sites to do their bidding. And they have a growing number of holes to target: In 2007 one security company, SecureWorks, found 59 flaws in applications that allowed for SQL injection attacks. So far in 2008, it has found 366.

Tracking down and closing those holes before crooks find them can be a real challenge. Just ask BusinessWeek.com. That site was only the latest big-name online property to suffer an attack. When we checked at the end of September in our research for the print-magazine version of this story, the report said that among BusinessWeek.com's 2484 pages the search giant had found 213 that "resulted in malicious software being downloaded and installed without user consent" over the past 90 days. The report didn't list the site as suspicious overall, and stated that "the last time suspicious content was found on this site was on 09/11/2008." In reply to our inquiries, a BusinessWeek spokesperson wrote that "the attack affected only one application within a specific section of our website, and that application has been removed."

The Big Risk: Web Exploits

According to Joe Stewart, director of malware research at SecureWorks, for a would-be botnet criminal these Web exploit attacks are by far the preferred choice for distributing evil code. "It's almost unheard of these days for these guys to try and send the attachment in e-mail," he says. "Even e-mails will typically direct you to an infected site."

Stewart hasn't noticed any major growth in the large botnets that he watches, but he says he typically sees an ebb and flow in the size of distributed malware networks. When IT workers and antivirus companies catch on to bot infections and clean them up, the crooks respond by infecting a new batch of PCs. "They're having to keep up these seeding campaigns to keep up their botnet size," Stewart says.