500,000 parked domains on Network Solutions serving Malware (Update 2)

Update 2:

While not an apology or an explanation as to how the growsmartbusiness.com domain was compromised, Network Solutions issued an official statement on the incident.

“Our Security Team was alerted this past weekend to a malicious code that was added to a widget housed on our small business blog, growsmartbusiness.com. This widget was used to provide small business tips on Network Solutions’ under construction pages.”

“We have removed the widget from those pages and continue to check and monitor to ensure security...If you have downloaded the GrowSmartBusiness widget to your website, we recommend you delete that widget and scan your site for Malware.”

Network Solutions added that the number of impacted pages listed in various reports (including ours), which range from 500,000 (based on Google search results) to millions based on Armorize’s projections, are not accurate. They will continue to investigate the actual count.

Update:

Wayne Huang got in touch with us to update some information. First, depending on the search engine, there could be up to 5,000,000 domains that were compromised.

"...Google shows the first 45 pages only, and Yahoo shows the first 100 only. So we couldn't really go through all the domains one by one...and 5 million is too large a number for manual verification anyways," he said by email.

We say were compromised due to the fact that Network Solutions commented out the malicious code, preventing it from loading on the parked pages. The problem is that commenting out the code is a temp fix at best. We're hoping for more information on the resolution soon.

Original Article:

The Small Business Success Index widget, offered to customers by Network Solutions and used as part of the parked domain page by default, has been compromised. In addition to the hijacked widget, the Network Solutions domain, growsmallbusiness.com was compromised itself, where a classic shell script was used for full access.

Earlier this year, a string of attacks on shared hosting providers and legitimate sites caused quite a stir. However, while the issues were linked to issues with the hosting, shared SQL access, and configuration problems, many “thought eventually everything would be cleaned up and everyone's operations would be back to normal--but it seems that didn't happen... yet,” Wayne Huang of Armorize said.

The Network Solutions compromise was discovered by Armorize during an internal investigation that was prompted by one of their largest customers. The client wanted to know why sites were being flagged by Armorize’s HackAlert product, when Google for example, reported the domains as clean.

“They are a very large customer of ours. They scan their customer sites for Malware and we are their technology provider,” Huang told The Tech Herald.

The report itself, while mostly confidential, was released on a limited basis, and says that Network Solutions customers who choose to install the Small Business Success Index widget, on sites such as Blogger, WordPress, and custom platforms using the embed code, will start serving Malware immediately.

In addition to normal hosting avenues, the widget is also available for Facebook, Twitter, iGoogle, LinkedIn, and MyYearbook. Armorize tested the widget on a new Blogger profile, and once the single-click install was finished, the newly minted Blogger account was pushing Malware.

While searching for the answers as to how the widget was compromised, Armorize discovered evidence that the widget domain, growsmartbusiness.com, hosted a shell script that allows complete control over a given account.

The shell script, R57, is seen below in an image of the cache page [Link]. Given that shared accounts on a server can be targeted from a single compromised account, the discovery of R57 is a huge red flag.

 

 

On pages where the widget is loaded via JavaScript, such as the case of Network Solutions’ parked domains, malicious JavaScript files are delivered that will attempt to compromise the browser.

If successful, they will deliver Malware as the final payload [Payload VirusTotal test]. The JavaScript is not part of the widget, Armorize explained to us, but it is delivered via an IFRAME from the widget.php script used on growsmartbusiness.com.

Parts of the attack itself will only attempt to serve each individual IP address once, and blocks drive-by-download detection services such as Wepawet and JSUnpack.

Further investigation by Armorize showed that the widget and code on the parked pages used in this recent attack are the same ones that were used in the attack on boingboing.com (not to be confused with boingboing.net). The knockoff .com domain is still malicious.

Given that the widget is part of the parking code used by Network Solutions, the attack reaches more than 500,000 domains, Armorize says. Searches on Google by The Tech Herald [Link] show 595,000 domains, but we are willing to bet 20-percent of those domains are clear. However, that still leaves hundreds of thousands of domains that are openly malicious.

The notion that a widget, combined with a site compromise, led to this massive attack struck us as ironic, given that we were just talking with Neil Daswani, the Chief Technology Officer of Dasient, less than 24-hours before the Armorize discovery. Daswani was talking to us about common Web attack surfaces, and widgets were high on the list when it comes to compromises that his company has seen.

With that in mind, we asked Huang to list some things that Webmasters and Webhosts need to be aware of to prevent such incidents. Scanning tools are great, but they are not end all be all solutions.

“For hosting providers, one critical effort is segregation. One hosting account can be compromised because of the hosting providers vulnerabilities (at the application level or configuration level for example), or because of issues with the customer's own applications (custom application vulnerabilities, or the use of outdated software). You never know,” he said in an email exchange.

“But the key is not to let compromise of an individual hosting account lead to compromise of the entire shared hosting environment. Mass scale, automated website compromise to distribute Malware includes threats like mass SQL injections, but compromising shared hosting, if achievable, makes distributing Malware even easier.”

For mass SQL injections, Huang added, “…you usually inject the malicious JavaScript directly, which means, the next time you have new Malware, you need to do it again, and you probably cannot delete the old one.”

His bottom line, segregation is the key, along with ensuring that software is updated and that custom software is checked for security issues. After that, if a host is compromised, make sure that clean-up is thorough, completely removing both the vulnerability and method of exploitation. “They can't just fix the vulns that lead the attacker in. They have to clean up the backdoors and Web shells.”

After the report was delivered, Armorize contacted Network Solutions. Attempts to reach Network Solutions for comment by The Tech Herald were unsuccessful, but once we hear from them we will update this article.

The Armorize reports are here and here.

Like this article? Please share on Facebook and give The Tech Herald a Like too!