informa
News

Mass Drive-By Attack Used Web Widget

Attackers took a different spin on mass infection, and targeted hosting provider Network Solutions Inc.
A widespread Web attack discovered over the weekend that targeted Network Solutions Inc. customers' parked or "under construction" Web domains used a drive-by download attack more stubborn than the popular and more common mass SQL injection attacks.

The attack, which began with an infected widget on NSI's growsmartbusiness.com website for small businesses, led to a mass infection of NSI customers' reserved domains, according to researchers at Armorize who spotted the attack.

NSI has since cleaned up its growsmartbusiness.com site and alerted its domain customers to remove the compromised widget -- which offered tips for small businesses. Just how many NSI customers' domains remain infected is unclear: Researchers at Armorize, which first reported the attack over the weekend, say it infected at the least 500,000 domains, or possibly millions, according to a Yahoo search the researchers conducted.

Network Solutions, however, disputes those numbers. "We have removed the widget from those pages and continue to check and monitor to ensure security. The number of impacted pages that have reported publicly over the weekend are not accurate. We're still investigating the number of web pages affected," NSI posted on its website yesterday. "If you have downloaded the GrowSmartBusiness widget to your website, we recommend you delete that widget and scan your site for malware."

[UPDATE: NSI now says its preliminary analysis shows that less than 120,000 parked Web pages were hit. "No active Network Solutions customer websites were impacted. Additionally, there was also no compromise on our platform," NSI says in a new blog post.]

While the number of infected domains remains up for debate, the method used by the attackers to hit multiple domains was striking. Wayne Huang, co-founder and CTO at Armorize, says the attack method is a new breed of mass infection, or drive-by, attack. "I'm sure we're going to see more of it," he says.

But Neil Daswani, CTO and co-founder of Dasient, says he doesn't consider the attack waged on the NSI domains more sustainable or reliable. "It is very easy to mitigate and may not have as much of a significant impact -- it will only impact users that end up at a parked domain, usually by mistake or mistyping a legitimate domain name," says Daswani, whose firm recently conducted research on the use of widgets.

Dasient analyzed 5,000 websites and found that 75 percent of enterprises use third-party JavaScript widgets -- mostly travel, entertainment, and leisure websites running these apps, followed by publishing firms, high-tech companies, and financial institutions.

"Mass SQL injection against highly used and popular web applications could be more likely to help cybercriminals achieve a more significant malware distribution footprint," Daswani says.

Daswani also says widgets make an attractive attack target because one widget can be used by thousands of sites. "So even if widgets are not extremely vulnerable, an attacker that analyzes the cost/benefit trade-off may see that it is worthwhile to attack even a well-guarded widget because of the benefit they receive in terms of the number of sites they can turn into malware distribution vehicles," he says.

Meanwhile, Armorize's Huang maintains that what sets this attack apart from the more commonly used mass SQL injection is that it's not a one-time infection. "A mass SQL injection is a one-time thing," Huang says. "This one has multiple backdoors all over the system ... the attacker can remove it and you don't know where the backdoor is unless you do a full IR [incident response] process ... It's very hard to clean up your system."

And the attackers went after a domain hosting provider to reach more sites more quickly. "This is a new type of mass infection -- infecting hosting companies," he says. "We saw a lot of Web hosting instances at the beginning of this year. When you compromise a hosting company, you can insert malware into a lot of sites all at once."

Users get infected merely by visiting a site with the infected widget. So far the researchers have seen the attack exploiting vulnerabilities in Internet Explorer. "They visit a page and end up with malware. There's absolutely no click and no user awareness of anything. They visit the page, the [exploit] attacks a vulnerability inside the browser and takes control of the browser," he says.

Then the attacker writes malicious code to the disk and executes it, he says. The researchers found evidence of fully compromised websites by the attack with a Web "shell," basically a control panel the attackers install once they've fully compromised the site.

"This allows you to do anything you'd like to do, insert any content," he says.

Huang and his team also discovered a second piece of malware on NSI's page: a fake instant messaging window that mimics that of an actual Chinese IM service, targeting users with IP addresses in Taiwan and Hong Kong, although a handful or so of U.S. and Chinese visitors also were hit, he says.

The attackers behind the drive-by attack on NSI's domains appear to be out of Asia. The attack ultimately sends users to phishing sites, Huang says. Armorize actually first saw the attack in May, when researchers found it on the Boingboing.com parked domain. "We didn't realize then that the entire NSI parked domain was infected," Huang says.

Armorize's blog posts and demonstrations of the attacks are here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: