5 million domains serving malware via compromised Network Solutions widget

A recent rise in the number of Armorize’s customers’ sites getting flagged by their own drive-by downloads and zero-day malware threats detection service HackAlert has led the the company researchers to the discovery of a compromised widget provided by Network Solutions.

The widget in question is the “Small Business Success Index”, and it can be picked up on NS’ growsmartbusiness.com website and on Widgetbox (where an installation script is provided).

Once the researchers were pretty certain that the widget was the culprit for the malware serving on otherwise legitimate websites, they tested the theory by opening a brand new Google Blogger account and visited Widgetbox. A click on the offered “Install Widget” button, a pop-up window with the script and several one-click-install buttons for popular services such as Facebook, Blogger, Twitter, WordPress, LinkedIn, and many others appears.

They chose the Blogger button and the widget was immediately installed on their test blog:

The result? The blog starts to serve malware – HackAlert blocks detects it immediately. Further investigation uncovered that the growsmartbusiness.com domain is “compromised and injected with a r57shell (webshell), which allowed the attacker easy manipulation of the site,” says Wayne Huang.

But, as bad as this discovery was, it was bound to be overshadowed a couple of days later by another revelation: the widget is automatically included on every “parked” domain by Network Solutions!

A quick search on Google and Yahoo! revealed that there are around 500,000 and 5,000,000 domains affected and serving malware, respectively. A manual check of some 200 parked domains on the list showed that all of them were provided with the malware-serving widget.

Network Solutions has been notified of the fact, and has acted quickly by removing the widget from their parked domains. Unfortunately, this is only a temporary fix, and the registrar will have to do some serious damage control because it seems that this infection can be linked to to a very similar one that caused the recent multiple incidents of massive compromises of WordPress blogs and websites hosted by Network Solutions.

At the time, it was thought that the compromises were executed by exploiting some flaw in WordPress. And the worst part about all of this is the fact that these incidents started way back in January, and who knows how many systems were infected from that moment to this – unfortunately, it takes only a visit to a compromised site to trigger the download of the malware (lsass.exe).

The malware then modifies the registry, monitors four of the most popular browsers, redirects users using popular search engines to other websites, pops up advertisement according to a list of search terms and duplicates and renames itself to resemble a varied assortment of legal and illegal software (mostly key generators and cracked software versions). It then “phones home” to several URLs in order to receive further instructions and download more malware.

Only 50% of the antivirus solutions included in VirusTotal’s check detected this malware a couple of days ago, and it was discovered to have the ability to block well-known by download analysis services such as Wepawet and jsunpack.

This attack definitely marks the beginning of the exploitation of hosting providers as a means to compromise a massive amount of domains and spread malware to millions of users in a short period of time. Let’s hope that hosting providers will take this occurrence seriously and rethink their defenses from top to bottom.