Millions of websites hosted by Network Solutions may have been dishing out malware for months.
According to security company Armorize Technologies, ‘parked’ domains – those which have been registered but are still under construction – have been turned into drive-by attack sites.
The problem derives from the ‘Small Business Success’ widget by Network Solutions. Armorize analyzed this for a customer and found it to be infected – and which the company then realized was part of the standard parking page for Network Solutions.
Wayne Huang, Armorize’s cofounder and chief technology officer, says the problem could affect as many as five million domains.
“I didn’t have time to click on every single one of them, but I clicked on enough to conclude that, all of them are indeed infected,” he says.
Indeed, Armorize registered its own site with Network Solutions, and found that it started actively serving malware the moment it was up.
Around half of all virus checkers can detect the malware, says Huang, which appears to be a variant of Koobface. It affects users running Internet Explorer, Firefox, Chrome and Opera to download a Trojan, redirecting searches and launching pop-up advertisements.
Network Solutions has taken down the widget from its parked domains. However, it remains on the 5,700-odd active sites that manually installed it.
And the parked domains still contain a malicious script which targets users based in Taiwan and Hong Kong and redirects them to other websites.