Malware Spewing Widget Hacks 500,000 Websites

Security expert estimates that up to 5 million domains parked by Network Solutions are actively serving threats.

Mathew J. Schwartz, Contributor

August 17, 2010

2 Min Read

Slideshow: Cloud Security Pros And Cons

(click for larger image and for full photo gallery)

Up to 5 million domains -- not just web pages -- were infected by a malware-spewing widget, according to security experts at web application security vendor Armorize Technologies.

On Thursday, Armorize said that it had been receiving urgent client inquiries -- including one from its largest customer -- asking why their web pages were being flagged by Armorize's hack-alert service as generating malware.

Armorize traced the malware back to the "Small Business Success Index" widget offered by Network Solutions on its GrowSmartBusiness website. The widget was also available via Widgetbox, a widget-hosting website.

"We verified that the domain was definitely compromised and injected with a r57shell (webshell), which allowed the attacker easy manipulation of the site," according to a blog post from Wayne Huang, president and chief technology officer of Armorize, and his colleagues.

Both Network Solutions and Widgetbox have since removed the widget or taken the relevant sites offline. Prior to that, the widget had been installed more than 5,300 times just from Widgetbox.

On Saturday, however, after studying the widget further, Huang said he discovered that the malicious widget wasn't confined to those two websites, but somehow was also "part of the standard domain parking page of Network Solutions."

How many affected domains were out there? A search of Google reveals at least 500,000 instances of parked Network Solutions domain pages, while Yahoo says there are 5 million.

On Monday, Network Solutions pulled the plug on the malicious widget, said Susan Wade, the company's director of public relations. "The widget link that appeared on the parked page master template has been removed, therefore the widget no longer appears on any Network Solutions' parked page."

In a statement released Monday, the company also disputed the number of domains affected. "The number of impacted pages that have reported publicly over the weekend are not accurate. We're still investigating the number of web pages affected." The company said it would release an update on its investigation on Tuesday.

Meanwhile, for anyone who added the GrowSmartBusiness widget to a website, "we recommend you delete that widget and scan your site for malware," said Network Solutions.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights