Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.
Sedo

500,000 "Parked Domains" on Network Solutions Serving Malware

Status
Not open for further replies.

companyone

DNF Regular
Legacy Exclusive Member
Joined
Jan 24, 2004
Messages
1,333
Reaction score
12
Hi,

More Than "Interesting"...be careful out there!


***I made the links "non click-able" on purpose in this post ~ so watch what you do***




500,000 "Parked Domains" on Network Solutions Serving Malware


by Steve Ragan - Aug 15 2010, 01:06


1 | 2

The Small Business Success Index widget, offered to customers by Network Solutions and used as part of the parked domain page by default, has been compromised. In addition to the hijacked widget, the Network Solutions domain, growsmallbusiness .com was compromised itself, where a classic shell script was used for full access.

Earlier this year, a string of attacks on shared hosting providers and legitimate sites caused quite a stir. However, while the issues were linked to issues with the hosting, shared SQL access, and configuration problems, many “thought eventually everything would be cleaned up and everyone's operations would be back to normal--but it seems that didn't happen... yet,” Wayne Huang of Armorize said.

The Network Solutions compromise was discovered by Armorize during an internal investigation that was prompted by one of their largest customers. The client wanted to know why sites were being flagged by Armorize’s HackAlert product, when Google for example, reported the domains as clean.

“They are a very large customer of ours. They scan their customer sites for Malware and we are their technology provider,” Huang told The Tech Herald.

The report itself, while mostly confidential, was released on a limited basis, and says that Network Solutions customers who choose to install the Small Business Success Index widget, on sites such as Blogger, WordPress, and custom platforms using the embed code, will start serving Malware immediately.

In addition to normal hosting avenues, the widget is also available for Facebook, Twitter, iGoogle, LinkedIn, and MyYearbook. Armorize tested the widget on a new Blogger profile, and once the single-click install was finished, the newly minted Blogger account was pushing Malware.

While searching for the answers as to how the widget was compromised, Armorize discovered evidence that the widget domain, growsmartbusiness .com, hosted a shell script that allows complete control over a given account.

The shell script, R57, is seen below in an image of the cache page [Link]. Given that shared accounts on a server can be targeted from a single compromised account, the discovery of R57 is a huge red flag.

___

MALWARE CODE IS GIVEN ON FIRST PAGE

___

On pages where the widget is loaded via JavaScript, such as the case of Network Solutions’ parked domains, malicious JavaScript files are delivered that will attempt to compromise the browser.

If successful, they will deliver Malware as the final payload [Payload VirusTotal test]. The JavaScript is not part of the widget, Armorize explained to us, but it is delivered via an IFRAME from the widget.php script used on growsmartbusiness .com.

Parts of the attack itself will only attempt to serve each individual IP address once, and blocks drive-by-download detection services such as Wepawet and JSUnpack.

Further investigation by Armorize showed that the widget and code on the parked pages used in this recent attack are the same ones that were used in the attack on boingboing .com (not to be confused with boingboing .net). The knockoff .com domain is still malicious.

Given that the widget is part of the parking code used by Network Solutions, the attack reaches more than 500,000 domains, Armorize says. Searches on Google by The Tech Herald [Link] show 595,000 domains, but we are willing to bet 20-percent of those domains are clear. However, that still leaves hundreds of thousands of domains that are openly malicious.

Source 1st Page And Many Links And A Whole 2nd Page At HERE




___________
Dan
 
Last edited:
Dynadot - Expired Domain Auctions
Status
Not open for further replies.

Who has viewed this thread (Total: 1) View details

Who has watched this thread (Total: 1) View details

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Members Online

Sedo - it.com Premiums

IT.com

Premium Members

MariaBuy

Upcoming events

New Threads

Our Mods' Businesses

UrlPick.com

*the exceptional businesses of our esteemed moderators

Top Bottom