Parked Network Solutions domains served up malware

Network Solutions has disabled a widget used in parked domains that were found to be serving up malware, according to security firm Armorize.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
This screenshot shows the fake chat message and the malicious widget on the site that Armorize created to test the attack.
This screenshot shows the fake chat message and the malicious widget on the test site that Armorize registered to test the attack. Armorize

Some parked domains from Network Solutions that display "page under construction" messages were found to be serving up malware from a widget that was later disabled over the weekend, a security researcher told CNET on Monday.

However, parked domains still had malware in the form of a malicious script that targets IP addresses coming from Taiwan and Hong Kong and which serves up a fake chat message and redirects to other Web sites, said Wayne Huang, co-founder and chief technology officer at security firm Armorize. The company is still analyzing the malware and it is unclear exactly what happens when computers are redirected, he said.

The malware that was embedded in the now-disabled "Small Business Success Index" widget, from Network Solutions' GrowSmartBusiness.com site, did what is called a "drive-by-download," according to Huang. It monitored what Web pages were visited and served up ads based on search queries, among other actions, he said.

Initial analysis of the code found that the malware in the widget targeted Internet Explorer 6 on Windows XP but could have affected other software as well, Huang said.

It's unclear exactly how many Web pages or domains were affected, but Google lists more than 500,000 results when keywords are used for parked domains and Yahoo's search results list at least 5 million, according to Huang. Huang tested an undisclosed sample number of the sites from each of the search engine results and then registered a test site to see if it served up the malicious widget and the other malware, and it did, he said.

More details on the infections and research are on the Armorize blog.

Parked domains have been registered and often display ads but not custom content.

Network Solutions spokeswoman Susan Wade provided this statement when asked for comment: "Regarding the widget incident from the weekend, our security team was alerted this past weekend to a malicious code that was added to a widget housed on our small business blog, growsmartbusiness.com. This widget was used to provide small business tips on Network Solutions' under construction pages. We have removed the widget from those pages and continue to check and monitor to ensure security. Reports of the number of pages affected are not accurate. We're still investigating to determine the number impacted."

Update 11:42 a.m. PDT: Added Network Solutions' comment.