Infected Widget Compromises Parked Domains

 
 
By Brian Prince  |  Posted 2010-08-16
 
 
 

Researchers at Armorize Technologies reported that as many as 5 million parked domains belonging to customers of Network Solutions fell victim to an infected widget and were serving up a side order of malware.

Armorize has notified Network Solutions, which told eWEEK it is investigating the situation and can't confirm how many domains may have been affected. According to Armorize, however, the now-disabled widget had been installed on at least 500,000 parked domains, and possibly 5 million.

Parked domains are domains that have been registered but have no owner-provided content. According to Armorize CTO Wayne Huang, many of his company's customers were found to be serving malware the company linked to the "Small Business Success Index" widget by Network Solutions.

"[The widget] was hacked, as proved by the webshell that Google caches," Huang told eWEEK. "The attacker had full control."

Google lists more than 500,000 results when keywords for parked domains are used, while Yahoo search lists some 5 million.

The widget launched a drive-by attack against users running Internet Explorer, Google Chrome, Firefox and Opera. The malware modifies the registry, monitors for the browsers, redirects search engine users and generates pop-up advertisements depending on whether certain search terms are entered. It also renames itself to a list of popular software programs and calls out to control URLs for further instructions.

According to Network Solutions, the widget was used to provide small business tips on pages that were under construction.

"We have removed the widget from those pages and continue to check and monitor to ensure security. ... If you have downloaded the GrowSmartBusiness widget to your website, we recommend you delete that widget and scan your site for malware," the company said in an alert.


Rocket Fuel