Malware Widget Infects Millions of Websites

Website domain name registration business Network Solutions says that domains marked "page under construction" have been dishing up malware.

It's suggested that millions of websites have been infected, and that the malware has been live for several months. The domains used a malicious script targeting Taiwanese and Hong Kong IP addresses to deliver a fake chat message that directed users to other web sites. (Source: computerworld.com)

Drive-By-Downloads Infect Unsuspecting Users

Malware spread when a now-disabled widget in the Small Business Success Index section of Network Solutions' GrowSmartBusiness.com site performed a "drive-by-download," says Wayne Huang, chief technology officer at security company Armorize.

The widget was able to track which web pages were visited and delivered ads based on these queries, Huang said.

The domains in question are "parked," meaning they are registered and display advertisements, but offer little or no creative content.

Targeted Browsers, Operating Systems Unclear

It's not yet clear how many versions of Internet Explorer (IE) or Windows were affected. The only Internet Explorer version and operating system (OS) known to have been targeted is Internet Explorer 6 running Windows XP. (Source: cnet.com)

Furthermore, there's really no way to tell how many web pages have been infiltrated, though it's estimated to be in the millions. Huang notes that Google lists more than 500,000 results when keywords are used by parked domains, while Yahoo lists five million. Huang said that he tested a sample of sites from the search engine results targeted by the widget and it did indeed serve up malware.

Malware Widget Live for Several Months

In a statement, Network Solutions said that it had removed the widget and was addressing the issue of malware infection:

"Regarding the widget incident from the weekend, our security team was alerted this past weekend to a malicious code that was added to a widget housed on our small business blog, growsmartbusiness.com. This widget was used to provide small business tips on Network Solutions' under construction pages."

"We have removed the widget from those pages and continue to check and monitor to ensure security. Reports of the number of pages affected are not accurate. We're still investigating to determine the number impacted," said Susan Wade, a Network Solutions spokesperson.

It's estimated that the widget was serving up malware for several months before being shut down. (Source: computerworld.com)