IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.
A blog from V3.co.uk

« Japanese hacker arrested for fishy malware | Main | Justin Bieber used as malware lure »

Largest ever drive-by download discovered?

An infected widget from web hosting firm Network Solutions could have affected over five million separate domains, according to new research from web app security firm Armorize.

The security firm revealed that the 'Small Business Success Index' widget was infected last week, but the malware could have been operating in some form for months. It soon realised that the problem was much more widespread than at first thought.

"Yesterday I had some time to sit down and study this widget further, and discovered something critical - it's a part of the standard domain parking page of Network Solutions," explained co-founder Wayne Huang.

According to a Google search, the widget in question was available and serving malware on more than 500,000 domains, but according to Yahoo that number rose to over five million, he said.

"I didn't have time to click on every single one of them, but I clicked on enough to conclude that, all of them are indeed infected, via the same widget we blogged about a few days ago," wrote Huang.

"Also, neither Google or Yahoo actually shows all results. Google shows the first 45 pages only, and Yahoo shows the first 100 only. So we couldn't really go through all the domains one by one...and 5 million is too large a number for manual verification anyways."

The drive-by-malware in question, when downloaded, redirects user searches and monitors various search terms, automatically popping up advertising on the user's screen, for which the malware writer will get a fee.

According to Armorize, Network Solutions took down the widget within three hours of being contacted. However it remains worrying how such a large scale drive-by download remained under the radar for so long.

August 17, 2010 |

Comments

Hi, I am with Network Solutions and want to assure you that we are working on this issue and have additional clarifications and updates at http://bit.ly/9g5qv4 Please note that this has NOT affected 5M sites as reported online. Our preliminary analysis is that the potential affected under construction web pages was less than 120k around the time of detection of the malware. Please visit http://bit.ly/9g5qv4 for frequent updates and a FAQ on the issue. –Susan Wade

Posted by :Susan Wade | August 19, 2010 5:33 PM

Post a comment







Site credentials: About | Privacy policy | Terms & conditions | Top of the page
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093