5 Million Domains Serving Malware Via Network Solutions

An anonymous reader writes "A compromised widget provided by Network Solutions was serving malware on otherwise legitimate websites. But, as bad as this discovery was, it was overshadowed a couple of days later by another revelation: the widget is automatically included on every 'parked domain' by Network Solutions! Searches on Google and Yahoo! revealed 500,000 and 5,000,000 domains affected and serving malware, respectively. A manual check of some 200 parked domains on the list showed that all of them were provided with the malware-serving widget." The researchers who uncovered this issue alerted Network Solutions, and the widget was taken down a few hours later.

Lies, all lies.

BuY H3rB@l V1agaR@ TodaY!

all

all your base are belong to us!

Re:all

But I don't even use Windows!

Network Solutions

[ravenspear]

used to be the place to go for domains.

Now they are completely redundant.

Re:Network Solutions

[sarysa]

I'm not surprised by TFA, but I'm not in the know when it comes to which domain parkers are "legitimate" and which aren't. Regardless of their status, accidentally hitting a parked domain on a Windows box (i.e. my work PC) has been a bit of a gut-wrenching experience for a number of years now...

Re:Network Solutions

[VortexCortex]

used to be the place to go for domains.

Now they are completely redundant.

Actually, now they are ironically recursive.

Their "Network Solutions" are serving malware, which is a "Network Problem" that then requires another "Network Solution"; This was overshadowed by another of their past "Network Problems" so that the current article about "Network Solutions" causing "Network Problems" was overlooked.

Re:Network Solutions

[SpaceLifeForm]

Sure, and you have just provided evidence that you did not RTFA.

Re:Network Solutions

[theskipper]

Used to be the place to go...until competition provided some choice back in the early '00s.

Seriously, by any metric Network Solutions has always been the worst registrar to deal with. Price, customer service, etc., the stories are legendary.

Re:Network Solutions

[countertrolling]

Time for a Slashdot Poll... Pick a good one..

Re:Network Solutions

[Runaway1956]

"back in the early '00s."

So - how do YOU pronounce that? Early oughts? Early oh's? Early two thousands? I remember my grandparents and grand uncles and aunts talking about their younger days. Just like the prelude to the Mr. Bojangles song, it was "Back in 'ought six, we were so poor . . . "

Re:Network Solutions

[chrysrobyn]

Network Solutions used to be the place to go for domains. Now they are completely redundant.

I'd argue "irrelevant", not "redundant". If their prices were sane as they provided the same commoditized service, then they'd be redundant. In this day and age, the default parking provider should probably be someone like GoDaddy. If you have any content, stick with DreamHost or some dedicated colocation.

I've been a happy DreamHost customer since 2006 (when I relinquished control of a dedicated service on a commercial DSL). Yeah, I don't have root anymore, but for $120/year, I don't have to pay extra for the dedicated IP and I don't have to worry about applying those patches and being a "competent admin" either. I've noticed a sum total of an hour of e-mail downtime and I haven't observed any web downtime. Unlimited e-mail forwards is really nice -- I create a new address for every site that thinks they need one so I can track spammers to their source and delete that alias.

Re:Network Solutions

[realityimpaired]

Having dealt with CIRA, and Sibername Inc. (who is on the ICANN list you provided), I've had nothing but good results with them. Now admittedly, all of the domains I own/manage are .ca domains, but I have no reason to believe they'd be anything but good to deal with for any other TLD.

Re:Network Solutions

[Zazzalicious]

The Early 'noughties' of course...

At least they did the right thing

[Abstrackt]

"The researchers who uncovered this issue alerted Network Solutions, and the widget was taken down a few hours later."

Sucks that it happened, but at least they did something about it as soon as they found out.

Re:At least they did the right thing

"The researchers who uncovered this issue alerted Network Solutions, and the widget was taken down a few hours later."

Sucks that it happened, but at least they did something about it as soon as they found out.

NOT surprised from these guys.
They have a bad track record and continue to indulge in dirty practices like domain stealing.

Re:At least they did the right thing

[steveo777]

Can you imagine being the people who were responsible for the widget? Not that I like them, but they must be pretty proud that it worked for as long as it did...

Re:At least they did the right thing

*puts on his tinfoil hat*
But what if the widget was compromised by someone within Network Solutions?
*puts down his tinfoil hat and crawls back into his pillow cave*

Re:At least they did the right thing

Yeah! Back in school, me and Billy-Joe dropped a paint bomb on the principal's car!

Not really... But that's as close as I can come to imagining being the people responsible for the widget. They're assholes. Working hard to be an asshole is even stupider than casual assholery.

Malware = Response Policy?

[alphatel]

Yet another reason to use the new RPZ in BIND to blacklist all parked pages. Not really what anyone was hoping for though.

Shrugged off, but root cause needs regulation

[vlueboy]

Sad that this malware problem is still not going to be enough to outlaw or reduce parked domains. Heck, network solutions doesn't even get a slap in the wrist for failing to check their modules.

Also, governments hate spending money on laws to regulate the internet... how about we let the current de-facto rulers of the internet do it: Search engines and browsers should do even more to stop malware domains from ever appearing in results or being reachable?

Re:Shrugged off, but root cause needs regulation

[rotide]

Once you start blocking "for the good of x" someone will come along and complain that "y" should be on that list too or yet another person will come along and claim that it is unfair that their site "x" was blocked. Staying neutral and allowing anything to be displayed as long as it is spider-able keeps them free of censoring/uncensoring and/or policing. Simply getting addons to your favorite browser and/or using a DNS that filters the way you like it are the best solutions.

Re:Shrugged off, but root cause needs regulation

[vlueboy]

I respecfully disagree: Nobody is going to complain because
1) Parked domains are useless to anyone other than a potential buyer, who has no rights to the site at all
2) Addons are annoying to apply AND keep updated if you have more than one username on your PC, one operating system, and one browser.

The "neutrality" stance has already been proven weak: Google already warns us about a few malware sites, and they're the number one internet site according to Netcraft for the US.

Re:Shrugged off, but root cause needs regulation

[vlueboy]

they're the number one internet site according to Netcraft for the US.

Oops... s/Netcraft/ALEXA/

Re:Shrugged off, but root cause needs regulation

[Kalriath]

Since Google is in the business of "Domain Parking", I don't see them being interested in your idea.

Sounds major

[bugs2squash]

And presumably we should now see a step function reduction in malware issues. I wonder if we will.

I thought this was well known

[noc007]

I thought this was a known fact Network Solutions' parked pages served malware in one form or another. Back in July of last year I got some questions from an executive why the domain the company recently registered for was being blocked by the corporate web content filter. Turns out the Network Solutions parked page had an iframe that was serving malware from kolmic.com. I explained it and provided the parked page's html code with the offending code highlighted.

Doing some Google searches showed that I wasn't the only one that had noticed this.

Re:I thought this was well known

Network solutions security is abysmal. From my experience, having an FTP server hosted with them, whenever they get hacked, which is often, they reset ALL passwords of their customers without informing them.

Re:I thought this was well known

[The-Blue-Clown]

I had the same exact experience. The only issue was I had an exec that wasn't going to be pushed around by the IT guys. She ordered the filter relaxed. I only got my way when i told her i needed all such requests in writing as she was assuming the known risk i had just finished explaining to her.

I saw the ads

[HangingChad]

I saw a couple of those ads, which was pretty funny to suddenly see a strange file tree on my Linux box. It was pretty scary. For a minute I thought my PC had been infected with Windows.

Malware within malware?

[Unordained]

Is this analysis of r57shell still relevant?

Malware via browsers?

Apart from Internet Explorer and ActiveX, how the hell can a web page infect a computer via a Web browser?

AFAIK Javascript can't write files to the OS, so how are they doing it?

Re:Malware via browsers?

[zonky]

probably exploits via flash, or a windows image library.

Re:Malware via browsers?

[Culture20]

Apart from Internet Explorer and ActiveX, how the hell can a web page infect a computer via a Web browser? AFAIK Javascript can't write files to the OS, so how are they doing it?

You haven't seen any of the entries in mozilla's bugzilla DB with "arbitrary code execution"? http://www.mozilla.org/security/known-vulnerabilities/
Run any browser as an Admin-priviledged user (as many-many ordinary home users do), and you're going to get owned at some point. Mis-type a URL, and you've suddenly hit a Network Solutions holding site. Or a Google-ad will get pre-fetched, or, or, or.
Javascript can't write to a file, but firefox can, and if it's made to run arbitrary code as a root/admin user, game over.

Re:Malware via browsers?

[bertok]

Indeed. There have even been vulnerabilities in the JPG and PNG image decoders!

I wonder how practical it would be to write a fully functional browser entirely in a managed language like C# or Java.

It's about time somebody tried!

Re:Malware via browsers?

[jebblue]

Sun used to make HotJava. It wasn't too bad.

Re:Malware via browsers?

[Culture20]

1. Only nerds read or even know what a "bugzilla DB" is.
2. Not everyone wants to mess with the whole administrator vs user accounts thing.
3. Not everyone uses that crappy browser known as Firefox.

I'll give you 1 and 2 (as reasons why people don't know better), but 3 is irrelevant. Every browser has had problems like these, even lynx. Ever heard of Safari? I hear mobile Safari had a pdf exploit recently.

Re:Malware via browsers?

Don't forget .pdf files as well. Ever since Adobe thought it was a good idea to put embedded media in those things...

If you have Adobe Reader, be sure to turn off its multimedia and javascript features too.

Re:Malware via browsers?

[mrbcs]

A proper hosts file can help here. http://www.mvps.org/winhelp2002/hosts.htm/

Re:Malware via browsers?

[BitZtream]

Why do people keep saying 'admin privileged user' as if thats what it takes to be owned ...

If you never login to your machine as more than a single user, root or not, and they exploit that user, you've been owned.

You may be able to clean yourself with a simple rm -rf ~, but effectively they have all they need when they exploit any user account. Its a place to run code, steal user info and snoop around.

Root isn't required or needed, its far easier to exploit general user accounts than trying to infect an entire machine making it noticeable to any real admins who may share the machine.

Wake up and smell the coffee, running as an admin or not isn't going to prevent you from getting owned, it just limits the scope of the ownage, and on a single user machine the scope doesn't really matter.

Javascript exploits of an unprivileged user can still install a key logger that will get your root password, its not as quick, but its just as effective and will probably happen within a few days of the initial exploit anyway.

Not running as root just makes it harder to exploit the entire machine, you've still be exploited which is really all they wanted to do in the first place.

Re:Malware via browsers?

[Viol8]

"running as an admin or not isn't going to prevent you from getting owned,"

Yes it is. With root you can hide binaries and mod libraries, hack the kernel, install your own apps etc etc. Try doing that with a standard user account and see how long it takes to get spotted.

"Javascript exploits of an unprivileged user can still install a key logger that will get your root password, its not as quick, but its just as effective and will probably happen within a few days of the initial exploit anyway."

Key loggers dont work in X windows. Only the window manager can intercept key events before the app that owns them gets them. Cover the screen with an invisible window and apps underneath wont respond. You'd need to be root to swap the WM binary for your own hacked one. The best you could do would be to constantly call XQueryKeymap() in a tight loop but you could still miss some key presses and the 99% CPU usage would soon be spotted.

Genius Moderation FTW

[drinkypoo]

Network Solutions (Score:2, Redundant)
by ravenspear (756059) on 08-16-10 14:56 (#33268844)
used to be the place to go for domains.

Now they are completely redundant.

Re:Genius Moderation FTW

[ls671]

Maybe some moderator thought he could get his moderation modded funny...

Re:Genius Moderation FTW

[drinkypoo]

He did. I like karma because it permits me to speak my mind (which more often than not costs me karma) but what I like more than karma is a discussion about something I find interesting. I would rather have comments than positive mods... but send more positive mods anyway ;)

NetSol and Malware

[MTTECHYBOY]

Network Solutions = Malware...??? Nothing new here

Damn it

[trifish]

If I disregard the fact that this is an obvious Slashvertisment for some obscure thing called "HackAlert", let me tell you that I don't care WHICH or HOW MANY sites serve malware. There will always be sites serving malware, damn it!

What I care about (and this was -- as usual -- NOT answered anywhere in TFA/Slashvertisments), are these questions:

1. Does the served malware exploit a vulnerability for which no patch exists?
2. If 1 is true, what browsers and operating systems are affected?

If any kind soul knows and posts this information, you are bound to get some positive karma. Thanks.

Re:Damn it

[fishbowl]

Reading the Armorize blog, it sounds like this isn't just a tracking cookie dropper. They are showing a shell, a file editor, and a sql query runner. Also, they claim it reproduces itself which to my mind puts it into a narrower category of "malware" (the V-word).

Re:Damn it

[gad_zuki!]

Brian Krebs has a better writeup:

http://krebsonsecurity.com/2010/08/networksolutions-sites-hacked-by-wicked-widget/

Essentially, the malware delivered a popup that looks like a screen from a popular Chinese chat program. I believe it pretends to be an update. So, this is just a trojan. No vulnerability was used, well, other than the one sitting in the chair.

Re:Ad Muncher would have protected everyone.

Why pay $30 when Adblock is free?

https://addons.mozilla.org/en-US/firefox/addon/1865/

Re:Ad Muncher would have protected everyone.

Well then, here's hoping you sell a bunch of copies. Adblock and Noscript are working just fine on Ubuntu+Firefox here.

Honest domain name registrar?

[16384]

Are there some honest and reliable domain name registrars out there? I'd like to register a domain, but I'm not sure where.

Re:Honest domain name registrar?

[FutureDomain]

I use 1&1. Their prices are lower than the competition and I've received great customer service. I haven't caught them doing anything scummy, like GoDaddy has been caught doing (Ignoring ICANN rules and Requiring root passwords). There are many good registrars out there, and many scummy ones. I'd recommend looking around, and be aware that price isn't the only important thing.

Re:Honest domain name registrar?

[CeruleanDragon]

I've been moving my stuff to dyndns.org, they're cheaper than my previous registrar (Register.com) and seem honest enough. I also use their Dynamic DNS services too, so it's handy.

However, when you think about it, what defines a good/bad registrar? Network Solutions might not have policed their parked sites well, but it doesn't sound like they did it maliciously. They messed up, someone missed something... for a few months... or a year or more... yeah, pretty bad f'up... but I think that's more stupid than dishonest/scummy. Unless that guy with the tinfoil hat is on the right track and they did it themselves... after the last Fed raid I haven't gotten a chance to make another tinfoil hat myself, so I won't get into that. :)

How many registrars will look at every domain that someone registers with them and go, "Hey, you're not doing anything useful with this domain, so we're canceling your registration, you squatter!"? Not too many, that would cost money to police and cost them money in domain registrations.

The only thing I see that defines a registrar as "scummy" are the ones that include the clause that if you ever drop your domain, they take it. Or as soon as you do a "search" for a domain, if it's free, they take it. Like GoDaddy.com used to, last I heard. Just gotta read your registration agreement carefully.

Re:Honest domain name registrar?

[16384]

Thanks for the suggestion but a cursory check on 1&1 triggered my alarm bells... too many upsells, it's not clear what you'll pay after the first year and there are some warnings against it on webhostingtalk.com

Re:Ad Muncher would have protected everyone.

[CeruleanDragon]

I'd mod this up if I could, I run AdBlock Plus and NoScript and they do everything mentioned above, but a lot cheaper. I don't fear accidentally landing on a "parked" website, as I know any malware/scripts on it won't get a chance to run.

And if I'm running Firefox, and it does what I need it to... why would I need to worry about "the other programs" on my computer? In fact, why would I want any 3rd party software doing anything to my other programs? Will it stop me from wgetting malware by accident? :P

Why adblock? HOSTS files are better

HOSTS files are free and actually superior to adblock. First off, you already have a hosts file. Secondly, Adblock doesn't cover more than firefox (and maybe one another recently like IE (if that)) and hosts files cover every web-bound app you have versus known bad sites or servers (hosts names and domain names), including html based email programs as well as html mail in say, outlook/outlook express that are also subject to such attacks via html formatted email sent them, which adblock does not cover (or rather they or other html based capable utilizing programs). Facts are facts. Hosts files also allow you to speed up in another way by hardcoding your favorite websites into them which adblock does not allow and you can also use hosts files to secure yourself against known bad sites, servers, and ad banners also. 2 for the price of one, bonus.

Network Solutions Parking Bullsh*t

[Douglas+Goodall]

I found out a while back that if NS thinks your web dns is messed up, they divert your web page to a parking page without telling you. That is bad enough, but worse, the parking page they set up , sends browsers to your competitors. If your business is selling auto-widgets, they do an automatic search, and provide alternative auto-widget vendors on the parking page. This is bad. You pay money to promote your business. and pay to promote your domain, and when potential clients get to your page, they get sent elsewhere to do business. This makes me furious.

That's nice....

[hesaigo999ca]

How does one of the biggest domain provider's end up being hacked, I understand if the website hosted on their domain was serving it up because of their own coding error, but a widget that they themselves created for their customers to provide content gets hacked, does not really leave me to impressed. Better start checking all regular domains being hosted with them, to see if I visit them or not....wonder if /. is one such customer?

Adblock's BLOCKBLE, hosts files aren't

Per my subject-line above: Arstechnica did that to adblock/adblock plus users:

ArsTechnica blocking Adblock?

https://adblockplus.org/forum/viewtopic.php?f=2&t=5266

However, they could NOT do that to HOSTS files users though!

Fact is, HOSTS files are better than adblock (especially adblock alone) on that account above alone, PLUS these also:

10 ADVANTAGES OF HOSTS FILES OVER BROWSER ADDONS ALONE, & EVEN DNS SERVERS:

1.) HOSTS files eat A LOT LESS CPU cycles than browser addons do no less (since browser addons have to parse each HTML page & tag content in them)!

2.) HOSTS files are also NOT severely LIMITED TO 1 BROWSER FAMILY ONLY... browser addons, are. HOSTS files cover & protect (for security) and speed up (all apps that are webbound) any app you have that goes to the internet (specifically the web).

3.) HOSTS files allow you to bypass DNS Server requests logs (via hardcoding your favorite sites into them to avoid not only the TIME taken roundtrip to an external DNS server, but also for avoiding those logs OR a DNS server that has been compromised (see Dan Kaminsky online, on that note)).

4.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

5.) HOSTS files also allow you to not worry about a DNS server being compromised, or downed (if either occurs, you STILL get to sites you hardcode in a HOSTS file anyhow in EITHER case).

6.) HOSTS files are EASILY user controlled, updated and obtained (for reliable ones -> See mvps.org ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

7.) HOSTS files aren't as vulnerable to "bugs" either like programs/libs/extensions of that nature are, OR even DNS servers, as they are NOT code, & because of what's next too

8.) HOSTS files are also EASILY secured well, via write-protection "read-only" attributes set on them, or more radically, via ACL's even.

9.) HOSTS files are a solution which also globally extends to EVERY WEBBOUND APP YOU HAVE - NOt just a single webbrowser type (e.g. FireFox/Mozilla & its addons exemplify this, such as ADBLOCK)

10.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - You might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own, & this? This stops that cold, too! Bonus...

Still, it's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security". Between HOSTS files, a good firewall + antivirus & antispyware program setup? You're MOST of the way there (provided you also utilize your brain & sense online, that is).

APK

P.S.=> Best of all, HOSTS files are free, and you already own one and have COMPLETE control over it... apk

Update on Network Solutions Malware Issue

Hi, I am with Network Solutions and want to assure you that we are working on this issue and have additional clarifications and updates at http://bit.ly/9g5qv4 . Please note that this has NOT affected 5M sites as reported online. Our preliminary analysis is that the potential affected under construction web pages was less than 120k around the time of detection of the malware. Please visit http://bit.ly/9g5qv4 for frequent updates and a FAQ on the issue. –Susan Wade