Network Solutions Malicious Widget May Date to January

usan Wade, Dir. of PR for Network Solutions, Herndon, Virginia. 703.668.5057 ||Web hosting firm NetworkSolutions confirmed on Monday that it had unwittingly served up a malicious Web site widget on customers’ inactive  or “parked” Web domains, but the company said that it still didn’t know how many domains had been infected. In a blog post (, the Herndon, Virginia Web site hosting firm The company acknowledged published reports ( on Monday that it allowed a third party widget that was part of a widely installed Web site package to be compromised. A company spokeswoman declined to put a number to how many Web sites may have been serving malicious content. Security experts have estimated that anywhere between 500,000 and five million Web sites may have hosted the malicious widget at one time. The mass infections first came to light after researchers at Web security firm Armorize Technologies analyzed a third party widget ( dubbed the Small Business Success Index that was offered by Network Solutions. Researchers realized that the widget, in addition to being downloadable from Network Solutions, was distributed with a standard package of Web pages that Network Solutions offered to customers who wished to “park” Web domains they had registered using a basic place holder Web site – greatly increasing its prevalence. The Armorize analysis revealed that the widget was similar to one that they had first spotted in May on the Web site of, a high traffic parked domain that is hosted on Network Solutions and that benefits from its similarity to the popular Web site ( The malicious widget targets visitors with vulnerable installations of the Internet Explorer Web browser, serving malicious links that exploit known vulnerabilities in IE as well as Adobe’s Acrobat and Reader applications.  Once it has compromised user systems, the browsers push remote monitoring software, dubbed lsass.exe, to the infected systems. That software monitors user browsing activity, looking for certain search keywords and redirecting users to pay per click advertising sites. It also looks for file shares and peer to peer networking software, copying and renaming the malicious program to those directories to spread said Caleb Sima, CEO of Armorize. It is not known how long the malicious widget has been part of the default domain package, but infections linked to Network Solutions domains can be traced back to January, 2010 when the company reported large scale compromises and defacement of Websites hosted on Network Solutions Unix servers ( Sima said his researchers identified accounts on free Web site traffic monitoring sites that were linked to the malicious software programs and that date to early February, 2010. That date conincides with the earlier compromises at Network Solutions, he said. “If you look at the number of page views, it matches up with the Wordpress infections.” That implies that the malicious Widget could have been active for the last year without being noticed. “This (widget) is using the same code base and is from the same attackers,” Sima said. He said the exact number of infected sites isn’t known, but believes it is in the neighborhood of 5 million sites, based on Web searches targeted at code used by the malicious widget.Wade of Network Solutions disputes that number and says the actual number of infected sites is “much lower,” but acknowledged that the company doesn’t have a firm number, and is unlikely to make public a number when it does know. Network Solutions has disabed the offending code she said, adding that since the affected domains were not actively managed, the impact on customers will be minimal. Sima, whose company offers a service dubbed “HackAlert” that monitors Web sites for infections, said the exploit points to a glaring hole in the protections that both companies and third party providers such as Network Solutions rely on. Web -based malware can be updated and modified on the fly. Only half of the anti malware engines that Armorize ran against the malware served by the infected Network SOlutions sites identified it as malicious. MOreover, companies lack the ability to spot malicious links into or out of sites that they manage. <object width=”480″ height=”385″><param name=”movie” value=”;hl=en_US”></param><param name=”allowFullScreen” value=”true”></param><param name=”allowscriptaccess” value=”always”></param><embed src=”;hl=en_US” type=”application/x-shockwave-flash” allowscriptaccess=”always” allowfullscreen=”true” width=”480″ height=”385″></embed></object>Web hosting firm NetworkSolutions confirmed on Monday that it had unwittingly served up a malicious Web site widget on customers’ inactive  or “parked” Web domains, but the company said that it still didn’t know how many domains had been infected. 

A recently patched vulnerability in Adobe’s ColdFusion application
server may be more serious than previously thought following the public
release of exploit code and blog posts claiming it can be used to take
full control of systems running the software. Read the full article. [The Register]

Researchers are advising Facebook users to avoid offers to download an “official dislike button”, which the firm claims has spread virally across the service. There are  two different versions of the ruse thus far, both with tiny URL links to rogue applications. Read the full article. []

The Ruby developers have issued version 1.9.1-p430 of the Ruby programming language, a security update that addresses a cross-site scripting (XSS) vulnerability. Read the full article. [The H Security]

A password of less than seven characters will soon be “hopelessly
inadequate” even if it contains symbols as well as alphanumerical
characters, according to computer scientists at the Georgia Tech
Research Institute. Read the full article. [The Register]

Hundreds of thousands of Web sites parked at have been serving up malicious software thanks to a tainted widget embedded in the pages, a security company warned over the weekend. Read the full article. [KrebsonSecurity]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.