The number of new pieces of malware spiked in the first quarter of this year, and the majority of the new threats are being embedded in malicious Web sites.

According to a study from Sophos, an antivirus and anti-spam company, researchers discovered 23,864 new threats in the first three months of 2007. That's more than double the number of new malware identified in the same period last year, when Sophos discovered 9,450.

While the number of malware is increasing, where it's being found is changing.

Historically, malware has plagued e-mail, hidden in malicious attachments. While that's still happening, more virus writers are putting their efforts into malicious Web sites.

Sophos noted that the percentage of infected e-mail has dropped from 1.3%, or one in 77 e-mails in the first three months of 2006, to one in 256, or just 0.4% in this year's first quarter.

In the same time period, Sophos identified an average of 5,000 new infected Web pages every day. With computer users becoming more aware of how to protect against e-mail-based malware, hackers have turned to the Web as their preferred vector of attack.

The Trojan Fujif accounted for 50.8% of all the malware hosted on Web sites in the first quarter of this year, Sophos reported. The trojan is typically found in html or ASP files, and can download and execute files from malicious Web sites to infected computers.

Not all of the infected Web sites were created by the hackers themselves, according to Sophos' advisory.

The company's researchers found that 70%, were legitimate Web sites that were vulnerable to attack because they were unpatched, poorly coded, or had not been maintained by their owners. They also found that 12.8% were hosting malicious script, while Windows malware was responsible for infecting 10.7%. Adware was found on 4.8% of these pages, and porn dialers on 1.1%.

"What's most worrying is that so many Web sites are falling victim because the owners are failing to properly maintain them and keep up to date with their patches," said Carole Theriault, a senior security consultant at Sophos, in a written statement. "The average Internet user assumes sites like the Miami Dolphins homepage are safe to access, but by targeting a whole range of Internet pages, hackers are successfully infecting a larger number of unwary surfers. Any ill-maintained Web site can fall victim."

In February, hackers infected the legitimate Miami Dolphins Web site with a malicious script, known as Mal/Packer. Hackers infected the site right before the Miami football stadium was set to host the Super Bowl, affecting a large number of users who were visiting the site for game information.