Network Solutions


Network Solutions’ Systems Back Online Following DDoS Attacks

Web host and domain name registry Network Solutions reports that all of its systems are working today following two denial-of-service (DDoS) attacks earlier this week. The first DDoS attack hit their services Monday afternoon, June 21, while a consecutive attack occurred on Tuesday morning, June 21.

On the Network Solutions Hack and Smartphone Attacks

In the long-awaited return of the News Wrap podcast, Threatpost’s newest editor, Paul Roberts, makes his debut as he and Dennis Fisher discuss the Network Solutions parked domains hack, the troubling attacks emerging on smartphone platforms and the odd story of a Trojan-infected PC being linked to a 2008 airplane crash.


usan Wade, Dir. of PR for Network Solutions, Herndon, Virginia. 703.668.5057 ||Web hosting firm NetworkSolutions confirmed on Monday that it had unwittingly served up a malicious Web site widget on customers’ inactive  or “parked” Web domains, but the company said that it still didn’t know how many domains had been infected. In a blog post (http://blog.networksolutions.com/2010/security-alert-malware-found-on-widget/), the Herndon, Virginia Web site hosting firm The company acknowledged published reports (http://threatpost.com/en_us/blogs/network-solutions-hacked-widget-081610) on Monday that it allowed a third party widget that was part of a widely installed Web site package to be compromised. A company spokeswoman declined to put a number to how many Web sites may have been serving malicious content. Security experts have estimated that anywhere between 500,000 and five million Web sites may have hosted the malicious widget at one time. The mass infections first came to light after researchers at Web security firm Armorize Technologies analyzed a third party widget (http://blog.armorize.com/2010/08/more-than-500000-network-solutions.html) dubbed the Small Business Success Index that was offered by Network Solutions. Researchers realized that the widget, in addition to being downloadable from Network Solutions, was distributed with a standard package of Web pages that Network Solutions offered to customers who wished to “park” Web domains they had registered using a basic place holder Web site – greatly increasing its prevalence. The Armorize analysis revealed that the widget was similar to one that they had first spotted in May on the Web site of boingboing.com, a high traffic parked domain that is hosted on Network Solutions and that benefits from its similarity to the popular boingboing.net Web site (http://blog.armorize.com/2010/05/beware-of-boingboingcom-malware.html). The malicious widget targets visitors with vulnerable installations of the Internet Explorer Web browser, serving malicious links that exploit known vulnerabilities in IE as well as Adobe’s Acrobat and Reader applications.  Once it has compromised user systems, the browsers push remote monitoring software, dubbed lsass.exe, to the infected systems. That software monitors user browsing activity, looking for certain search keywords and redirecting users to pay per click advertising sites. It also looks for file shares and peer to peer networking software, copying and renaming the malicious program to those directories to spread said Caleb Sima, CEO of Armorize. It is not known how long the malicious widget has been part of the default domain package, but infections linked to Network Solutions domains can be traced back to January, 2010 when the company reported large scale compromises and defacement of Websites hosted on Network Solutions Unix servers (http://blog.networksolutions.com/2010/update-web-site-defacement-issue). Sima said his researchers identified accounts on free Web site traffic monitoring sites that were linked to the malicious software programs and that date to early February, 2010. That date conincides with the earlier compromises at Network Solutions, he said. “If you look at the number of page views, it matches up with the Wordpress infections.” That implies that the malicious Widget could have been active for the last year without being noticed. “This (widget) is using the same code base and is from the same attackers,” Sima said. He said the exact number of infected sites isn’t known, but believes it is in the neighborhood of 5 million sites, based on Web searches targeted at code used by the malicious widget.Wade of Network Solutions disputes that number and says the actual number of infected sites is “much lower,” but acknowledged that the company doesn’t have a firm number, and is unlikely to make public a number when it does know. Network Solutions has disabed the offending code she said, adding that since the affected domains were not actively managed, the impact on customers will be minimal. Sima, whose company offers a service dubbed “HackAlert” that monitors Web sites for infections, said the exploit points to a glaring hole in the protections that both companies and third party providers such as Network Solutions rely on. Web -based malware can be updated and modified on the fly. Only half of the anti malware engines that Armorize ran against the malware served by the infected Network SOlutions sites identified it as malicious. MOreover, companies lack the ability to spot malicious links into or out of sites that they manage. <object width=”480″ height=”385″><param name=”movie” value=”http://www.youtube.com/v/qWLX0a3FS_Y?fs=1&amp;hl=en_US”></param><param name=”allowFullScreen” value=”true”></param><param name=”allowscriptaccess” value=”always”></param><embed src=”http://www.youtube.com/v/qWLX0a3FS_Y?fs=1&amp;hl=en_US” type=”application/x-shockwave-flash” allowscriptaccess=”always” allowfullscreen=”true” width=”480″ height=”385″></embed></object>Web hosting firm NetworkSolutions confirmed on Monday that it had unwittingly served up a malicious Web site widget on customers’ inactive  or “parked” Web domains, but the company said that it still didn’t know how many domains had been infected. 

Hundreds of thousands of Web sites parked at NetworkSolutions.com have been serving up malicious software thanks to a tainted widget embedded in the pages, a security company warned over the weekend. Read the full article. [KrebsonSecurity]

According to research, the malicious iframe used in the latest Network Solutions attack pointed to corpadsinc.com which then downloads Adobe exploits onto victims’ machines. The hacks raise an issue increasingly being faced by Website owners: what’s the responsibility of the ISP or service or cloud provider to provide more application-layer security?

Web site domain registrar and hosting provider Network Solutions acknowledged that hackers had broken into its servers and defaced hundreds of customer Web sites. The hackers appear to have replaced each site’s home page with anti-Israeli sentiments and pictures of masked militants and armed with rocket launchers and rifles, along with the message “HaCKed by CWkomando.” Read the full article. [KrebsonSecurity]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.