Hack Puts Spotlight on Malware’s Long Tail: Parked Domains

They’re the dusty corners of the Web: so-called “parked” domains. But these little trafficked sites are attracting the attention of security experts, who say that it’s time for hosting firms and others that profit from them to clean up malware infections that may be exposing millions of Web users to attacks.

They’re the dusty corners of the Web: so-called “parked” domains. But these little trafficked sites are attracting the attention of security experts, who say that it’s time for hosting firms and others that profit from them to clean up malware infections that may be exposing millions of Web users to attacks.

The topic of what to do about the millions of parked domains was put back on the front burner this week after Web hosting firm Network Solutions acknowledged, on Monday, that unknown hackers had compromised a popular Web template it offered to customers, placing code in a widget to serve up malicious content from hundreds of thousands – perhaps millions of parked Web domains that the company manages. The company declined to say how long the sites had been serving the malicious content, but the mass compromise may go back more than eight months, to a breach that first came to light in January, 2010.

The sites, registered by Network Solutions customers and then left to sit, don’t garner much traffic individually. But collectively, they represent a significant piece of malicious Web traffic, according to experts at security firm Armorize, which uncovered the malicious widget and reported it to Network Solutions.

In a blog post on Thursday  analyst Wayne Huang at Armorize presented some details from an analysis of one component of the attack: a Web site, asiappc.com,  that was used to serve malware to visitors from Taiwan and Hong Kong.

By accessing a public Web analytics account fed by the malicious script, Huang was able to view traffic data to the site dating back to February – shortly after the hackers are believed to have compromised Network Solutions. The script shows steady traffic: almost 1.2 million visits since February 5, 2010, and new visits at a rate of around 14,000 a day, aggregated from untold numbers of parked domains.

Armorize has suggested that search engines stop indexing parked domain pages, both to reduce reach of infected domain pages, and to cull the parked domain population by denying so-called “domainers” a revenue stream from their static domains. But not everyone is convinced that the parked domains pose an outsize risk to the security of the Web.

“I think having a set of parked domains serving malware isn’t a good thing. The question is: ‘how bad of a thing is it?” said Dr. Neil Daswani, co-founder and CTO of the Web security firm Dasient.

Pointing to an analysis of statistics from domain parking service Sedo.com, Daswani said that even the most highly trafficked parked domains garner just a tiny fraction of actively managed sites. That makes them less interesting to attackers, who have shown themselves to be just adept at compromising active sites as parked pages.

“When attackers go after legitimate domains, their distribution is high and the impact is significant,” he said. “The fact that you had 120,000 domains infected, or whatever the number is, and nobody noticed may be an indication that its not as big a problem.”

Daswani says there is plenty of work to be done just shielding  well trafficked, actively managed Web sites from attack, especially as sites become more modular and interactive: aggregating content and deploying third party widgets and ads.

As with the Network Solutions hack, attackers have been quick to take advantage of these architectural changes, harnessing legitimate websites as distribution hubs for malware, Daswani said.  

Daswani points to the Gumblar malware attacks in 2009 that leveraged compromised FTP credentials to carry out a mass compromise of legitimate Web sites.

But Huang of Armorize notes, in the company’s blog, that in addition to getting aggregated traffic from low traffic domains, attackers can also enjoy longer infection time from low traffic domains that, by their very nature, attract little interest from visitors, hosting companies or their owners. That business model – a kind of “long tail” for malware — can be quite lucrative, as well.

A spokesperson for Google said that the company has systems to help detect parked domains, and will often not show them in the company’s search index. “If they do appear in the index, they are scanned with the same technology we use on other sites to help detect and flag malware and phishing attempts,” the spokesman said.

Some are suggesting tougher approaches. Huang and other Armorize researchers have suggested that search engines like Google, Yahoo and Bing stop crawling parked domains to reduce even the small amounts of traffic that make their way to the parked pages -especially since visitors to such mothballed pages will often not bother to report when are subject to an attack. Daswani notes that Web sites already face a still penalty for infection: black listing by Google and other search engines.  

“Gumblar infected 80,000 servers in a few weeks. Any one of those Web sites getting more traffic than parked domains,” said Daswani. “I think the community should focus on where the biggest threat is.”

Still, while there’s general agreement over the need for better monitoring by hosting providers and domain owners, the debate about where that “biggest threat” lies and on the overall size of the parked domain problem seems likely to remain a topic for polite disagreement.

Suggested articles

Discussion

  • Anonymous on

    Huh...  A typical response from Network Solutions!

  • shawnweg3 on

    I don't want to say right now
  • courtnedx on

    I don't want to say right now
  • williepsz on

    I don't want to say right now

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.