Attackers took a different spin on mass infection, and targeted hosting provider Network Solutions Inc.A widespread Web attack discovered over the weekend that targeted Network Solutions Inc. customers' parked or "under construction" Web domains used a drive-by download attack more stubborn than the popular and more common mass SQL injection attacks.
The attack, which began with an infected widget on NSI's growsmartbusiness.com website for small businesses, led to a mass infection of NSI customers' reserved domains, according to researchers at Armorize who spotted the attack.
Users get infected merely by visiting a site with the infected widget. So far the researchers have seen the attack exploiting vulnerabilities in Internet Explorer. "They visit a page and end up with malware. There's absolutely no click and no user awareness of anything. They visit the page, the [exploit] attacks a vulnerability inside the browser and takes control of the browser," he says.
Then the attacker writes malicious code to the disk and executes it, he says. The researchers found evidence of fully compromised websites by the attack with a Web "shell," basically a control panel the attackers install once they've fully compromised the site.
"This allows you to do anything you'd like to do, insert any content," he says.
The attackers behind the drive-by attack on NSI's domains appear to be out of Asia. The attack ultimately sends users to phishing sites, Huang says. Armorize actually first saw the attack in May, when researchers found it on the Boingboing.com parked domain. "We didn't realize then that the entire NSI parked domain was infected," Huang says. Armorize's blog posts and demonstrations of the attacks are here.
netizens left a footprint.