Hundreds of thousands of Web sites parked at NetworkSolutions.com have been serving up malicious software thanks to a tainted widget embedded in their pages, a security company warned Saturday.
Santa Clara, Calif. based Web application security vendor Armorize said it found the mass infection while responding to a complaint by one of its largest customers. Armorize said it traced the problem to the “Small Business Success Index” widget, an application that Network Solutions makes available to site owners through its GrowSmartBusiness.com blog.
Armorize soon discovered that not only was the widget serving up content for those who had downloaded and installed it on their sites, but also it was being served by default on some — if not all — Network Solutions pages that were parked or marked as “under construction.”
Parked domains are registered but contain no owner content. Network Solutions — like many companies that bundle Web site hosting and domain registration services – includes ads and other promotional content on these sites until customers add their own.
Armorize founder and chief executive Wayne Huang said Google and Yahoo! search results indicate anywhere from 500,000 to 5 million Network Solutions domains may have been serving the malware-infected widget. Armorize believes that hackers managed to taint the widget after compromising the GrowSmartBusiness.com domain itself with a Web-based hacking tool that allowed them to control the site remotely.
Shashi Bellamkonda, director of social media for Network Solutions, said the company has disabled the Growsmartbusiness.com blog and the tainted widget. He said the company is still investigating how long the site was hacked and how many Network Solutions domains were compromised as a result. But he said he doubted the 500,000 or 5 million figure was accurate.
“My understanding was that the widget is served on the pages dynamically, and so it doesn’t always come up” on parked pages, Bellamkonda said.
One potentially limiting factor in this attack was that it seemed to target Chinese Web surfers. The malicious widget caused a fake message box to pop up, similar to a message prompt generated by the instant messaging client Tencent QQ. While this chat client is by far the most popular in China, it is probably unknown to most Westerners.
In any case, the bogus QQ alert foisted a Trojan dropper that appears to be rather poorly detected by commercial anti-virus products: Only 25 out of 52 anti-virus programs employed by Virustotal.com detected the dropped file as malicious. Those that did variously identified it as a generic Trojan horse installer or a variant of the Koobface worm, a complex threat that turns infected PCs into bots.
Network Solutions has suffered a number of other high-profile and large scale attacks this year. In two separate incidents in April and one in January, thousands of sites and blogs hosted at Network Solutions were hacked and seeded with code that tried to foist malicious software on visitors.