Sometimes you have to wonder if key people at large companies just are asleep at the switch, or if anyone is even at the switch. Or if there's even a switch to begin with. Word comes from Net-Security.org that Network Solutions, one of the largest registrars in the world, has been serving up heapin' helpings of malware from a compromised widget on many of their parked pages.
Users or administrators who have installed the "Small Business Success Index" widget provided by Network Solutions have inadvertently turned their domains into malware distribution servers. There are two ways the widget can be installed onto a site: through the "one-click installation" script offered by Widgetbox or by directly visiting Network Solution's growsmartbusiness.com portal.
From all accounts, the growsmallbusiness.com domain was compromised and then outfitted with the venerable r57shell script, which allows attackers to completely "administer" the site. In other words, they can do whatever they want with the site. At last count there appeared to be about 500,000 compromised servers.
The malware is considered "quite mean" according to blog.armorize.com and has some slick tricks up its sleeve. For example, it serves to each IP only once (making it hard to detect) and it also blocks analysis services such as Wepawet and jsunpack.
To their credit, once Network Solutions was informed of the malware it was quickly removed, but one still has to wonder about the vetting process (or lack of same) that allowed the malware to be accepted and used. This is really just confirmation that even a company with extensive resources available to it like Network Solutions has can be hoodwinked.