08|16|2010 06:14 pm EDT
Armorize, a web security company, reported on their blog today that Network Solutions had been displaying a widget box that contains malware. The company was notified and quickly remedied the parking pags. Based on a yahoo search only, there are over 5 million domain names with NSI parked landers that may have been affected by this drive by malware.
According to Help Net Security, the malware is a drive-by variety that doesn’t take much to infect the users computer. Simply visiting a parking page hosted by NSI would trigger the download.
The malware then modifies the registry, monitors four of the most popular browsers, redirects users using popular search engines to other websites, pops up advertisement according to a list of search terms and duplicates and renames itself to resemble a varied assortment of legal and illegal software (mostly key generators and cracked software versions). It then “phones home” to several URLs in order to receive further instructions and download more malware.
Only 50% of the antivirus solutions included in VirusTotal’s check detected this malware a couple of days ago, and it was discovered to have the ability to block well-known by download analysis services such as Wepawet and jsunpack.
This attack definitely marks the beginning of the exploitation of hosting providers as a means to compromise a massive amount of domains and spread malware to millions of users in a short period of time. Let’s hope that hosting providers will take this occurrence seriously and rethink their defenses from top to bottom.
This is not good news for parking companies and domain owners who rely on parking revenue. As parked pages become synonymous with malware or problems, users will shift away from clicking more and more. . . Is this just another nail in the coffin for domain parking?