500,000 "Parked Domains" on Network Solutions Serving Malware

companyone · Aug 14, 2010

Hi,

More Than "Interesting"...be careful out there!

***I made the links "non click-able" on purpose in this post ~ so watch what you do***

500,000 "Parked Domains" on Network Solutions Serving Malware

by Steve Ragan - Aug 15 2010, 01:06

1 | 2

The Small Business Success Index widget, offered to customers by Network Solutions and used as part of the parked domain page by default, has been compromised. In addition to the hijacked widget, the Network Solutions domain, growsmallbusiness .com was compromised itself, where a classic shell script was used for full access.

Earlier this year, a string of attacks on shared hosting providers and legitimate sites caused quite a stir. However, while the issues were linked to issues with the hosting, shared SQL access, and configuration problems, many âthought eventually everything would be cleaned up and everyone's operations would be back to normal--but it seems that didn't happen... yet,â Wayne Huang of Armorize said.

The Network Solutions compromise was discovered by Armorize during an internal investigation that was prompted by one of their largest customers. The client wanted to know why sites were being flagged by Armorizeâs HackAlert product, when Google for example, reported the domains as clean.

âThey are a very large customer of ours. They scan their customer sites for Malware and we are their technology provider,â Huang told The Tech Herald.

The report itself, while mostly confidential, was released on a limited basis, and says that Network Solutions customers who choose to install the Small Business Success Index widget, on sites such as Blogger, WordPress, and custom platforms using the embed code, will start serving Malware immediately.

In addition to normal hosting avenues, the widget is also available for Facebook, Twitter, iGoogle, LinkedIn, and MyYearbook. Armorize tested the widget on a new Blogger profile, and once the single-click install was finished, the newly minted Blogger account was pushing Malware.

While searching for the answers as to how the widget was compromised, Armorize discovered evidence that the widget domain, growsmartbusiness .com, hosted a shell script that allows complete control over a given account.

The shell script, R57, is seen below in an image of the cache page [Link]. Given that shared accounts on a server can be targeted from a single compromised account, the discovery of R57 is a huge red flag.

___

MALWARE CODE IS GIVEN ON FIRST PAGE

___

On pages where the widget is loaded via JavaScript, such as the case of Network Solutionsâ parked domains, malicious JavaScript files are delivered that will attempt to compromise the browser.

If successful, they will deliver Malware as the final payload [Payload VirusTotal test]. The JavaScript is not part of the widget, Armorize explained to us, but it is delivered via an IFRAME from the widget.php script used on growsmartbusiness .com.

Parts of the attack itself will only attempt to serve each individual IP address once, and blocks drive-by-download detection services such as Wepawet and JSUnpack.

Further investigation by Armorize showed that the widget and code on the parked pages used in this recent attack are the same ones that were used in the attack on boingboing .com (not to be confused with boingboing .net). The knockoff .com domain is still malicious.

Given that the widget is part of the parking code used by Network Solutions, the attack reaches more than 500,000 domains, Armorize says. Searches on Google by The Tech Herald [Link] show 595,000 domains, but we are willing to bet 20-percent of those domains are clear. However, that still leaves hundreds of thousands of domains that are openly malicious.