Hundreds of thousands of Web sites parked at NetworkSolutions.com have been serving up malicious software thanks to a tainted widget embedded in their pages, a security company warned Saturday.

Santa Clara, Calif. based Web application security vendor Armorize said it found the mass infection while responding to a complaint by one of its largest customers. Armorize said it traced the problem to the “Small Business Success Index” widget, an application that Network Solutions makes available to site owners through its GrowSmartBusiness.com blog.

Armorize soon discovered that not only was the widget serving up content for those who had downloaded and installed it on their sites, but also it was being served by default on some — if not all — Network Solutions pages that were parked or marked as “under construction.”

Parked domains are registered but contain no owner content. Network Solutions — like many companies that bundle Web site hosting and domain registration services – includes ads and other promotional content on these sites until customers add their own.

Armorize founder and chief executive Wayne Huang said Google and Yahoo! search results indicate anywhere from 500,000 to 5 million Network Solutions domains may have been serving the malware-infected widget. Armorize believes that hackers managed to taint the widget after compromising the GrowSmartBusiness.com domain itself with a Web-based hacking tool that allowed them to control the site remotely.

Shashi Bellamkonda, director of social media for Network Solutions, said the company has disabled the Growsmartbusiness.com blog and the tainted widget. He said the company is still investigating how long the site was hacked and how many Network Solutions domains were compromised as a result. But he said he doubted the 500,000 or 5 million figure was accurate.

“My understanding was that the widget is served on the pages dynamically, and so it doesn’t always come up” on parked pages, Bellamkonda said.

One potentially limiting factor in this attack was that it seemed to target Chinese Web surfers. The malicious widget caused a fake message box to pop up, similar to a message prompt generated by the instant messaging client Tencent QQ. While this chat client is by far the most popular in China, it is probably unknown to most Westerners.

In any case, the bogus QQ alert foisted a Trojan dropper that appears to be rather poorly detected by commercial anti-virus products: Only 25 out of 52 anti-virus programs employed by Virustotal.com detected the dropped file as malicious. Those that did variously identified it as a generic Trojan horse installer or a variant of the Koobface worm, a complex threat that turns infected PCs into bots.

Network Solutions has suffered a number of other high-profile and large scale attacks this year. In two separate incidents in April and one in January, thousands of sites and blogs hosted at Network Solutions were hacked and seeded with code that tried to foist malicious software on visitors.

The very first entry I posted at Krebs on Security, Virus Scanners for Virus Authors, introduced readers to two services that let virus writers upload their creations to see how well they are detected by numerous commercial anti-virus scanners. In this follow-up post, I take you inside of a pair of similar services that allow customers to periodically scan a malware sample and receive alerts via instant message or e-mail when a new anti-virus product begins to detect the submission as malicious.

While there are free services like VirusTotal and Jotti that will let visitors upload a suspicious file and scan it against dozens of commercial anti-virus tools, the reports produced by the scans are shared with all of the participating anti-virus makers so that those vendors can incorporate detection for newly discovered malware into their products. While virus writers probably would love to use such services to fine-tune the stealth of their malware, they may not want their unique malware samples broadly shared among the anti-virus community before the malware has even had a chance to infect PCs.

So it’s not hard to see why some malware authors and purveyors choose to avoid these free services in favor of subscription products that scan submitted files with multiple anti-virus engines, yet prevent those results from being shared with the anti-virus vendors. Such is the business model behind scan4you.biz, a service that charges 15 cents for each file checked. Scan4you will scan your malware against 30 anti-virus products, but promises it will bar those products from snarfing up a copy of the malware:

“This service is about to help you in anonymous check of different anti-virus system. This check will be made by numbers of anti-virus system and no reports will be send to developers of this anti-virus system. You can be fully sure that your files will not be send to anti-virus databases. All reporting system in our version of anti-virus engines was disabled MicrosoftSpyNet, ESET ThreatSense.Net Early Warning System etc.”

For 15 cents, you can scan your file to see if any potential victim’s anti-virus program will detect it. Or maybe you’re more interested in seeing how well your drive-by download site is flagged by anti-virus products as malicious? Perhaps you want to see whether your site is listed on any of the major spam and anti-malware blacklists? All these checks can be had for $0.15 each.

So your malware is invisible by to all anti-virus products? Yay for you, but it won’t stay that way: Sooner or later, the malware author is going to need to tweak his creation or replace it with a newer version, or risk having the invader detected and killed by anti-virus software on the victim’s PC. Probably the most innovative feature of scan4you.biz is a service that lets you choose the interval time to have your file re-scanned, and then receive alerts whenever an anti-virus product starts shipping detection for your malware. Customers can select anywhere from a 1-24 hour rescan interval, and receive update alerts via e-mail, ICQ, Gmail chat, or Jabber (see screen shot above).

Another service, avcheck.ru, does essentially the same thing — allowing users to scan their creations and receive periodic updates about future detection — but with fewer anti-virus products and fewer instant alert options.

The presence of rogue anti-virus products, also known as scareware, on a Microsoft Windows computer is often just the most visible symptom of a more serious and insidious system-wide infection. To understand why, it helps to take a peek inside some of the more popular rogue anti-virus distribution networks that are paying people to peddle scareware alongside far more invasive threats.

Distributors or “affiliates” who sign up with avprofit.com, for example, are given access to an installer program that downloads not only rogue anti-virus but also ZeuS, a stealthy piece of malware that specializes in mining online banking credentials from infected PCs. ZeuS is the very piece of malware directly responsible for helping thieves steal tens of millions of dollars from small to mid-sized businesses over the past year.

Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install. Typically, affiliates will embed these installers at porn sites or bundle them with programs seeded on peer-to-peer file-sharing services. The nightmare for the victim starts when he or she responds to the fake anti-virus pop-up warning of supposed threats resident on the victim’s PC, by agreeing to download and run a scanning tool.

What’s remarkable about this entire ecosystem is that in many cases, victims who have this installer run on their systems often end up paying for the rogue anti-virus, in addition to unknowingly giving up their passwords and handing complete control of their computer to the bad guys running this distribution network.

Stats from Avprofit’s internal pages suggest that on average, about 4 percent of victims fall for the rogue anti-virus ruse and fork over their credit card information to purchase the worthless software. For example, on Feb. 28, one affiliate generated some 1,482 installs resulting in 66 sales and $1,650 in commissions. The day prior, the affiliate drummed up 1,323 installs, resulting in 57 sales for a daily income of $1,425.

A relatively recent copy of the installer that avprofit.com made available to affiliates was sent to two places: Joebox.org, which conducts extremely detailed, automated and free malware analysis, and Virustotal.com, to see how well the installer was detected by various anti-virus tools on the market today.

According to Joebox.org, the installer dropped a file with this unique file signature, which also was flagged by another free and automated malware scanner — ThreatExpert — as ZeuS, a.k.a. “Zbot”.

Virustotal found that just 16 out of 42 anti-virus products it used to scan the installer file detected it as malicious.

The e-mail address listed in the Web site registration records for avprofit.com is “abusemaildhcp@gmail.com,” the same e-mail address used to register updatekernel.com, the site that AVprofit’s installer reached out to in order to grab the ZeuS Trojan. That e-mail address also is affiliated with a number of Web sites responsible for helping criminals recruit money mules here in the United States and abroad.

Further reading:

Web Fraud 2.0: Franchising Cyber Crime

Massive Profits Fueling Rogue Antivirus Market

Rogue Antivirus Distribution Network Dismantled

The online version of Technology Review today carries a story I wrote about a government funded research group that is preparing to release a new free tool designed to block “drive-by downloads,” attacks in which the mere act of visiting a hacked or malicious Web site results in the installation of an unwanted program, usually without the visitor’s consent or knowledge.

The story delves into greater detail about the as yet unreleased software, called “BLADE,” (short for Block All Drive-By Download Exploits). That piece, which explores some of the unique approaches and limitations of this tool, is available at this link here.

As I note in the story, nearly all of the sites that foist these drive-by attacks have been retrofitted with what are known as “exploit packs,” or software kits designed to probe the visitor’s browser for known security vulnerabilities. Last month, I shared with readers a peek inside the Web administration panel for the Eleonore exploit pack — one of the most popular at the moment.

The BLADE research group has been running their virtual test machines through sites infected with Eleonore and a variety of other exploit packs, and their findings reinforce the point I was trying to make with that blog post: That attackers increasingly care less about the browser you’re using; rather, their attacks tend to focus on the outdated plugins you may have installed.

Phil Porras, program director for SRI International — one of the research groups involved in the project –  says that so far none of the exploit sites have been able to get past BLADE, which acts as a kind of sandbox for the browser that prevents bad stuff from being written to the hard drive. Yet, because the tool allows the exploit but blocks the installation of the malicious payload, the group has been able to collect a great deal of interesting stats about the attacks, such as which browsers were most often attacked, which browser plugins were most-targeted, and so on.

The following graphs were taken from the latest version of BLADE’s evaluation lab, which is constantly updated with results from new exploit sites. The charts below show the breakdown from 5,154 drive-by download infections blocked by BLADE.

Here are the vulnerable applications that were most targeted in the drive-by attacks the BLADE group saw:

We can see the BLADE team found that the Eleonore exploit kit was among the most used to infect sites:

Researchers also found lackluster detection of the exploits by the industry’s top anti-virus products (Porras said the data below is an average of the detection rates for each malicious binary delivered by the exploit sites):

I’ll be sure to let readers know when this tool is publicly available for download.

I have often recommended file-scanning services like VirusTotal and Jotti, which allow visitors to upload a suspicious file and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers so that those vendors can incorporate detection for the newly discovered malware into their products.

That pooling of intelligence on new threats also serves to make the free scanning services less attractive to virus authors, who would almost certainly like nothing more than to freely and simultaneously test the stealth of their new creations across a wide range of security software. Still, there is nothing to stop an enterprising hacker from purchasing a license for each of the anti-virus tools on the market and selling access to a separate scanning service that appeals to the virus-writing community.

Enter upstart file-scanning services like av-check.com and virtest.com, which bank on the guarantee that they won’t share your results with the anti-virus community.

For $1 per file scanned (or a $40 monthly membership) av-check.com will see if your file is detected by any of 22 anti-virus products, including AVAST, AVG, Avira, BitDefender, NOD32, F-Secure, Kaspersky, McAfee, Panda, Sophos, Symantec, and Trend Micro. “Each of them is setten [sic] up on max heuristic check level,” av-check promises. “We guarantee that we don’t save your uploaded files and they are deleted immediately after the check. Also , we don’t resend your uploaded files to the 3rd person. Files are being checked only locally (without checking/using on other servers.” In other words: There is no danger that the results of these scans will somehow leak out to the anti-virus vendors.

The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine, such as VMWare or VirtualBox. For safety and efficiency’s sake, security researchers often poke and prod new malware samples in a virtual environment. As a result many new families of malware are designed to shut down or destroy themselves if they detect they are being run inside of a virtual machine.

Virtest checks malware suspicious files against a similar albeit slightly different set of anti-virus programs, also promising not to let submitted files get back to the anti-virus vendors: “Your soft isn’t ever sent anywhere and the files being checked will never appear in the fresh AV signature bases after scanning,” the site pledges. “On purpose in all AV-products are turned off all possible methods and initiatives of exchange of files’ info with the AV-divisions.”

The proprietors of this service don’t even try to hide the fact that they have built it for malware writers. Among the chief distinguishing features of virtest.com is the ability for malware authors to test “exploit packs,” pre-packaged kits that — when stitched into a malicious or hacked Web site — serve the visitor’s browser with a kitchen sink full of code designed to install software via one of several known security holes. Many anti-virus programs now also scan Web pages for malicious content, and this service’s “exploits pack check” will tell malware authors whether their exploit sites are triggering virus alerts across a range of widely-used anti-virus software.

But don’t count on paying for these services via American Express: Both sites only accept payment via virtual currencies such as Webmoney and Fethard, services that appear to be popular with the online shadow economy.