Hundreds of thousands of Web sites parked at NetworkSolutions.com have been serving up malicious software thanks to a tainted widget embedded in their pages, a security company warned Saturday.
Santa Clara, Calif. based Web application security vendor Armorize said it found the mass infection while responding to a complaint by one of its largest customers. Armorize said it traced the problem to the “Small Business Success Index” widget, an application that Network Solutions makes available to site owners through its GrowSmartBusiness.com blog.
Armorize soon discovered that not only was the widget serving up content for those who had downloaded and installed it on their sites, but also it was being served by default on some — if not all — Network Solutions pages that were parked or marked as “under construction.”
Parked domains are registered but contain no owner content. Network Solutions — like many companies that bundle Web site hosting and domain registration services – includes ads and other promotional content on these sites until customers add their own.
Armorize founder and chief executive Wayne Huang said Google and Yahoo! search results indicate anywhere from 500,000 to 5 million Network Solutions domains may have been serving the malware-infected widget. Armorize believes that hackers managed to taint the widget after compromising the GrowSmartBusiness.com domain itself with a Web-based hacking tool that allowed them to control the site remotely.
Shashi Bellamkonda, director of social media for Network Solutions, said the company has disabled the Growsmartbusiness.com blog and the tainted widget. He said the company is still investigating how long the site was hacked and how many Network Solutions domains were compromised as a result. But he said he doubted the 500,000 or 5 million figure was accurate.
“My understanding was that the widget is served on the pages dynamically, and so it doesn’t always come up” on parked pages, Bellamkonda said.
One potentially limiting factor in this attack was that it seemed to target Chinese Web surfers. The malicious widget caused a fake message box to pop up, similar to a message prompt generated by the instant messaging client Tencent QQ. While this chat client is by far the most popular in China, it is probably unknown to most Westerners.
In any case, the bogus QQ alert foisted a Trojan dropper that appears to be rather poorly detected by commercial anti-virus products: Only 25 out of 52 anti-virus programs employed by Virustotal.com detected the dropped file as malicious. Those that did variously identified it as a generic Trojan horse installer or a variant of the Koobface worm, a complex threat that turns infected PCs into bots.
Network Solutions has suffered a number of other high-profile and large scale attacks this year. In two separate incidents in April and one in January, thousands of sites and blogs hosted at Network Solutions were hacked and seeded with code that tried to foist malicious software on visitors.
Not sure I agree with the headline “NetworkSolutions Sites Hacked By Wicked Widget” According to the article it was Growsmartbusiness.com that was actually compromised along with the widget hosted there. Was growsmartbusiness.com hosted at NetSol? This article isn’t clear. Did the widget only appear on NetSol pages or were other hosting companies involved as well.
Between 500,000 and 5 million? Really thats as close as they could come? Does NetSol even host 5million sites? A number that vaque is so useless it shouldn’t even be included.
This is not the same as previous incidents at NetSol were they are definitely at fault. This reads to me like NetSol is actually a victim and not the perpetrator here.
– SR
P.S. Oh, wait, I see the (s) in the headline now ‘sites’ as in sites hosted by NetSol were compromised and not NetSol itself. Still, my comments stand.
Space Rogue — The site that was hacked is a blog hosted and run by NetworkSolutions, and one that hosted a widget that was embedded in many other NetSol hosted sites.
Ah, it wasn’t clear to me that the blog was hosted and run by NetSol. I got the impression that it was just some random site and that NetSol happened to be use the widget on its hosted sites.
– SR
It was clear in the article.
Frank
Hey Brian, from my conversation with Armorize’s Wayne Huang, it sounds like the Chinese-language QQ pop-up was a second attack, separate from the invisible drive-by-download. Huang told me he thinks the QQ window is probably geotargetted to him because he’s based in Taiwan, and it wouldn’t have appeared for other users. If so, this is more relevant to western users than a mere QQ pop-up.
That’s great information, Andy, thanks. Have you written about this yet?
Any sign of lawyers swarming on this one? If you were redirected there as opposed to choosing to go there …
Hi Brian,
Is this a credible demo on how to break into NetSol?
http://www.youtube.com/watch?v=nabz7t65eUM
I asked NetSol, and it took them a month to say they didn’t know.
Thanks,
+Roger
Looking at the video, and my goodness doesn’t it get boring quickly, they’re looking through a directory structure which _could_ be NetSol’s backend, but it could also be the video creators NAS unit.
Just noticed, might be relevant, but in the bottom right hand corner of the software they’re using the russian text says ‘address’ and reads ‘localhost’.
I haven’t seen anything that would identify it specifically as NetSol’s, so in their interests, they’d say they didn’t know purely because they don’t want the hassle.
Looks like that is a Network Solutions server. It was probably compromised and a r57-like shell script put on it.
The proof that it is NetSol? one of the user directories he browses to is a website junctionartsfest which is junctionartsfest.com which is hosted by NetSol.
A network whois of junctionartsfest.com comes up as CIDR: 205.178.145.0/24
OrgName: Network Solutions, LLC
OrgId: NSL-37
I think this video is from last year or earlier this year when there were widespread website hacks going on at NetSol due to security holes in their servers. Those incidents were also covered by Brian Krebs.
http://krebsonsecurity.com/2010/04/hundreds-of-wordpress-blogs-hit-by-networkads-net-hack/
Btw, the video is not a ‘demo’. It just shows somebody browsing server folders after already getting that unauthorized access. How he got that access is not shown.
Yes, Armorize included some screenshots of the R57 shell that was apparently used to compromise the site, and I included a link to that screen shot in the original story above
http://webcache.googleusercontent.com/search?q=cache:xBysOx9rGNMJ:growsmartbusiness.com/tag/microsoft/+http://growsmartbusiness.com/widgets/widget.php&cd=7&hl=ru&ct=clnk&gl=tw&client=firefox-a
Sorry for off topic. Brian, there appears to be an issue when using IE8 to view your site. It gets redirected to http://m.krebsonsecurity.com/?source=cache_based_redirect_low and the formatting is all messed up (because it’s for mobile devices?). It doesn’t happen with Firefox. I’ve been able to duplicate the issue on three separate systems, one on a different network. Just wanted to let you know. 🙂
Agree that formatting on IE8 is malfunctioning. Looks fine with Chrome, though.
Yes, I’m sorry all. I just implemented a mobile version of the site today, and am having a few technical difficulties. Hopefully will have it fixed soon. Thanks for your patience.
Must have fixed it. I’m using IE8 in Vista x64, and it looks fine. I do miss the email subscription though. I don’t really like RSS.
JC — What do you mean you miss the e-mail subscription? You can sign up for e-mails on the right sidebar; it will send you a link every time I post a new item.
Dear Brian;
I don’t know what is wrong, as I have full permissions open for your blog; but the check box in the comment section disappeared several weeks ago, so I can subscribe to your blog but not individual discussions – where it used to work fine by simply checking the box. Then I could get every comment in my email box. I liked it that way. : (
Maybe a Microsoft update broke my browser, but it disappeared in Mozilla too. Sorry to use this forum for complaining, but I can’t find a way to contact you separately on your site. I’m sure the email contact address I had for you is obsolete since you left the Post.
I used RSS to find this again, it takes forever for me to catch up using RSS. Maybe I’ll get used to it, but it really fills up my bookmarks fast! Perhaps I need a class in “RSS for dummys”! : )
Okay – a new Microsoft update fixed the issue. It was a Windows issue all along – I suspect. Even though I use Mozilla on your site.
A Koobface variant quite nicely explains the flood of open Chinese proxy servers on TCP port 9415 that has been going on since at least March of this year.
Over 170,000 have been reported since May.
Hi, I am with Network Solutions and want to assure you that we are working on this issue and have additional clarifications and updates at http://bit.ly/9g5qv4 . Please note that this has NOT affected 5M sites as reported online. Our preliminary analysis is that the potential affected under construction web pages was less than 120k around the time of detection of the malware. Please visit http://bit.ly/9g5qv4 for frequent updates and a FAQ on the issue. –Susan Wade
Please do not use bit.ly. I have it being used to redirect to malware and in spam and am thus blocking it. They wouldn’t reply to my queries about the redirects involved.. But even worse, there is no way to see where you are goiing. I suggest you use the preview URL feature with TinyURL instead.
OPSWAT based in San Francisco has a commercially available Multiscanning solution that would have detected this problem. Filterbit-dot-com is the online demo version of it. The issue pertains to two essential defense building blocks: 1- Multiscanning and 2- quality engines.
Network Solutions is the most absurd company I have ever worked with, their customer service is a joke. I would never recommend this company to anyone.