The number of websites hosting malicious code is on the increase, says AVG Technologies.

Roger Thompson, chief research officer at the security firm said AVG, is seeing between 200,000 to 300,000 new websites per day hosting code that can in some cases result in a PC being infected with malware just by visiting the site.

Up to 70 percent of those websites are regular ones that have been hacked in order to host malicious code, a statistic that shows how poor website security is across the internet. The remainder are custom-built sites, he said.

See also: AVG Anti-Virus 8.0 Free review

Of those custom-built sites, however, there is some positive news. One common social-engineering trick is to put up a website offering codecs, or bits of software used to encode and decode video files. While purporting to be a codec, the file is often malicious software designed to steal data.

AVG found that up to 94 percent of the fake codec websites are taken offline within 10 days, with 62 percent taken down in a day or less. In the past, the sites may have stayed online as long as two weeks, showing that ISPs appear to be acting faster to remove them and current mechanisms for reporting bad websites are having an impact.

Still, the sheer number of sites infected may mean that the time online is less important as long as the hackers are attracting traffic.

Thompson said many hackers seek out less-professional websites with unpatched versions of 'htaccess', a configuration file used to manage access to certain pages on a website.

Htaccess is a powerful file, since it can be manipulated to redirect users to other websites depending on how they came to the website, Thompson said. For example, it can be configured to direct users who found the website through Yahoo or Google to a different, hostile website which looks to see if the PC is potentially hackable.

But if the hostile website is being visited by a bot and not coming from a search engine, the site will refuse to serve up any exploits, making it difficult for security analysts to automatically scan the web for bad sites, Thompson said.

However, hackers are getting lazy. They often reuse the same JavaScript and HTML code used to launch attacks, which makes those attacks easy to identify. That's good, since the underlying binary attack code can often also be tricky for security software to identify.

"That's a pretty good bottleneck," Thompson said. "It's like having a letter bomb with the outside of the envelope saying 'I'm a bomb'."

See also: Obama hacked as Trojan exploits official website