5M? Network Solutions Hosted Malware Sites

Between 500,000 and 5 million websites hosted by Network Solutions are believed to have been compromised, presenting a widget designed to help small business to build websites, and in fact, serving up malware to visitors.  The widget was installed by default on all “parked sites”, which are sites that have been registered to reserve the site name, but lacking owner-provided content.   The widget allowed each infected domain to be turned into a drive-by attack site.  In addition, the Network Solutions domain “growsmallbusiness.com” was compromised with a shell script.

Network Solutions disabled the “Small Business Success Index” widget in parked domains and offered this:  “… The number of impacted pages that have reported publicly over the weekend are not accurate. We’re still investigating the number of web pages affected.  If you have downloaded the GrowSmartBusiness widget to your website, we recommend you delete that widget and scan your site for malware.”  Application security firm Armorize, which was the first to warn of the attack, traced the flaw back through a series of compromises involving DNS manipulation and WordPress hacking, dating back to January.






3 thoughts on “5M? Network Solutions Hosted Malware Sites

  1. Pingback: 5M? Network Solutions Hosted Malware Sites — National Cyber Security National Cyber Security

  2. Hi, I am with Network Solutions and want to assure you that we are working on this issue and have additional clarifications and updates at http://blog.networksolutions.com/2010/update-on-widget-malware-issue/ Please note that this has NOT affected 5M sites as reported online. Our preliminary analysis is that the potential affected under construction web pages was less than 120k around the time of detection of the malware. Please visit http://blog.networksolutions.com/2010/update-on-widget-malware-issue/ for frequent updates and a FAQ on the issue. –Susan Wade

    Edit – This post has been edited to remove the TinyURL entries used. I don’t like masquerading links. -Mark

  3. Thank you Susan for the update and clarification. It seems the intended targets for this campaign were Chinese hosts and users.

    “We received reports of under construction pages showing pop-up boxes with Chinese writing in them when viewed from Taiwan; however when viewing the same page at the same time here in Herndon, VA, these boxes didn’t appear. It seems this attack targeted Chinese web servers.”

Comments are closed.