Web hosting firm NetworkSolutions confirmed on Monday that it had unwittingly served up a malicious Web site widget on customers’ inactive or “parked” Web domains, but the company said that it still didn’t know how many domains had been infected.
In a blog post, the Herndon, Va., Web site hosting firm acknowledged published reports on Monday that it distributed a small Web based program that had been compromised. A company spokeswoman declined to put a number on how many Web sites may have been serving malicious content. Security experts have estimated that anywhere between 500,000 and five million Web sites may have hosted the malicious widget at one time.
The mass infections first came to light after researchers at Web security firm Armorize Technologies analyzed the widget, dubbed the “Small Business Success Index.” Researchers discovered that the infected widget was being distributed with a standard package of Web pages offered to customers who wished to “park” their Web domains, greatly increasing its prevalence.
The Armorize analysis revealed that the widget was similar to one that they had analyzed in May on the Web site of boingboing.com, a high traffic parked domain that is hosted on Network Solutions and that benefits from its similarity to the popular boingboing.net Web site. The malicious widget targets visitors with vulnerable installations of the Internet Explorer Web browser, serving malicious links that exploit known vulnerabilities in IE as well as Adobe’s Acrobat and Reader applications.
Once it has compromised user systems, remote monitoring software, dubbed lsass.exe, is installed on the infected systems. That software monitors user browsing activity, looking for certain search keywords and redirecting users to pay per click advertising sites. It also looks for file shares and peer to peer networking software, copying and renaming the malicious program to those directories to spread said Caleb Sima, CEO of Armorize.
It is not known how long the malicious widget has been part of the default domain package, but infections linked to Network Solutions domains can be traced back to January, 2010 when the company reported large scale compromises and defacement of Websites hosted on its servers. Sima said his researchers identified accounts on free Web site traffic monitoring sites that were linked to the malicious software programs and that date to early February, 2010. That date coincides with the earlier compromises at Network Solutions, he said.
“If you look at the number of page views, it matches up with the WordPress infections,” he said.
That suggests that the malicious Widget could have been active for the last eight months without being noticed. “This (widget) is using the same code base and is from the same attackers,” Sima said.
The exact number of infected sites isn’t known, but Sima believes it is in the neighborhood of 5 million sites, based on Web searches targeted at code used by the malicious widget.
Wade of Network Solutions disputes that number and says the actual number of infected sites is “much lower,” but acknowledged that the company doesn’t have a firm number, and is unlikely to make public a number when it does know.
Network Solutions has disabed the offending code she said, adding that since the affected domains were not actively managed, the impact on customers will be minimal. She said Network Solutions is looking to review application code more thoroughly before it is deployed and to move third party applications like the one used in this attack more directly under Network Solutions control.
Sima, whose company offers a service dubbed “HackAlert” that monitors Web application security, said the exploit points to a glaring hole in the protections that both companies and third party providers such as Network Solutions rely on. Web -based malware can be updated and modified on the fly. Only half of the anti malware engines that Armorize ran against the malware served by the infected Network SOlutions sites identified it as malicious. MOreover, companies lack the ability to spot malicious links into or out of sites that they manage.