RSA: Chaos In the Security World, And the Situation Is Perfect

Right on cue this week, the anarchic hacking collective Anonymous stepped up and grabbed the story line away from the lions of the IT security industry.With the annual RSA Conference set to begin, the whistle blowing site Wikileaks released the first of some five million e-mail messages stolen from the security intelligence firm Stratfor. Ever sensitive to the fickle attention of the media, Anonymous inserted itself into the story, claiming responsibility for leaking the data and pointing a finger of blame at Stratfor and its media, private and public sector customers, which Anonymous accuses of spying and other dark offenses.

YieldManager Ad Network Serving Malvertising

One of the world’s largest advertising networks, YieldManager, has been serving ransomware to websites from all over the world. The malvertising campaign was first detected by Armorize’s HackAlert scanning farm.

Two major online ad networks–DoubleClick and MSN–were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider.

usan Wade, Dir. of PR for Network Solutions, Herndon, Virginia. 703.668.5057 ||Web hosting firm NetworkSolutions confirmed on Monday that it had unwittingly served up a malicious Web site widget on customers’ inactive  or “parked” Web domains, but the company said that it still didn’t know how many domains had been infected. In a blog post (, the Herndon, Virginia Web site hosting firm The company acknowledged published reports ( on Monday that it allowed a third party widget that was part of a widely installed Web site package to be compromised. A company spokeswoman declined to put a number to how many Web sites may have been serving malicious content. Security experts have estimated that anywhere between 500,000 and five million Web sites may have hosted the malicious widget at one time. The mass infections first came to light after researchers at Web security firm Armorize Technologies analyzed a third party widget ( dubbed the Small Business Success Index that was offered by Network Solutions. Researchers realized that the widget, in addition to being downloadable from Network Solutions, was distributed with a standard package of Web pages that Network Solutions offered to customers who wished to “park” Web domains they had registered using a basic place holder Web site – greatly increasing its prevalence. The Armorize analysis revealed that the widget was similar to one that they had first spotted in May on the Web site of, a high traffic parked domain that is hosted on Network Solutions and that benefits from its similarity to the popular Web site ( The malicious widget targets visitors with vulnerable installations of the Internet Explorer Web browser, serving malicious links that exploit known vulnerabilities in IE as well as Adobe’s Acrobat and Reader applications.  Once it has compromised user systems, the browsers push remote monitoring software, dubbed lsass.exe, to the infected systems. That software monitors user browsing activity, looking for certain search keywords and redirecting users to pay per click advertising sites. It also looks for file shares and peer to peer networking software, copying and renaming the malicious program to those directories to spread said Caleb Sima, CEO of Armorize. It is not known how long the malicious widget has been part of the default domain package, but infections linked to Network Solutions domains can be traced back to January, 2010 when the company reported large scale compromises and defacement of Websites hosted on Network Solutions Unix servers ( Sima said his researchers identified accounts on free Web site traffic monitoring sites that were linked to the malicious software programs and that date to early February, 2010. That date conincides with the earlier compromises at Network Solutions, he said. “If you look at the number of page views, it matches up with the Wordpress infections.” That implies that the malicious Widget could have been active for the last year without being noticed. “This (widget) is using the same code base and is from the same attackers,” Sima said. He said the exact number of infected sites isn’t known, but believes it is in the neighborhood of 5 million sites, based on Web searches targeted at code used by the malicious widget.Wade of Network Solutions disputes that number and says the actual number of infected sites is “much lower,” but acknowledged that the company doesn’t have a firm number, and is unlikely to make public a number when it does know. Network Solutions has disabed the offending code she said, adding that since the affected domains were not actively managed, the impact on customers will be minimal. Sima, whose company offers a service dubbed “HackAlert” that monitors Web sites for infections, said the exploit points to a glaring hole in the protections that both companies and third party providers such as Network Solutions rely on. Web -based malware can be updated and modified on the fly. Only half of the anti malware engines that Armorize ran against the malware served by the infected Network SOlutions sites identified it as malicious. MOreover, companies lack the ability to spot malicious links into or out of sites that they manage. <object width=”480″ height=”385″><param name=”movie” value=”;hl=en_US”></param><param name=”allowFullScreen” value=”true”></param><param name=”allowscriptaccess” value=”always”></param><embed src=”;hl=en_US” type=”application/x-shockwave-flash” allowscriptaccess=”always” allowfullscreen=”true” width=”480″ height=”385″></embed></object>Web hosting firm NetworkSolutions confirmed on Monday that it had unwittingly served up a malicious Web site widget on customers’ inactive  or “parked” Web domains, but the company said that it still didn’t know how many domains had been infected. 

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.