Network Solutions Widget Allows Malware Distribution

It appears Network Solutions (News - Alert) customers may have been inadvertently exposed to malware, according to recent news reports like this one on Slahdot.

Reportedly, the company offered a Small Business Success Index widget that was used as part of the parked domain page by default and now that widget has been compromised.

In addition to this widget, the growsmallbusiness.com website was also compromised.News reports spread rapidly this year on a string of attacks on shared hosting providers and legitimate sites.

The issues were directly linked to issues with the hosting, shared SQL access and configuration problems. Many believed that these problems would eventually be cleaned up and everything would get back to normal.

During an internal investigation prompted by one of the company’s largest customers, independent company Armorize discovered the Network Solutions compromise. The client was seeking information as to why sites were being flagged by Armorize’s HackAlert product while Google (News - Alert) was reporting the sites as clean.

The resulting report is mostly confidential, but it was released on a limited basis and said that customers who install the Small Business Success Index widget on sites like Blogger and WordPress and custom platforms that embed the code will start to serve Malware immediately upon installation. Beyond normal hosting avenues, the widget was also made available via Facebook (News - Alert), Twitter, iGoogle, LinkedIn and MyYearbook.

The widget was tested on a new Blogger profile and once the single-click install was complete, the new Blogger account was instantly pushing Malware.In an attempt to learn how the widget was compromised, Armorize determined that the domain of the widget – growsmartbusiness.com – actually hosted a shell script that enabled complete control over a given account. This script, R57, allowed for shared accounts to be targeted by one compromised account.

This widget is part of the parking code used by Network Solutions and the attack reaches more than 500,000 domains.

As a result, it is important for hosting providers to implement segregation. It is important that the vulnerability of one account does not compromise all others. In this case, the malware includes threats such as mass SQL injections and in shared hosting environments the malware can be easily reach a higher number of targets.

In addition to segregation, it is also important that software is consistently updated and that custom software is checked for security issues. If a host is compromised, clean up must be thorough to completely remove both the vulnerability and method of exploitation.

Network Solutions has been made aware of the situation, but so far a complete fix – other than manual adjustments to each and every affected domain – has yet to be provided.
Susan J. Campbell is a contributing editor for TMCnet and has also written for eastbiz.com. To read more of Susan’s articles, please visit her columnist page.

Edited by Stefania Viscusi