Up to five million parked domains served malware widget

Parked domains refer to sites that have been registered but do not contain any content.

Researchers at Santa Clara, Calif.-based Armorize still are analyzing the infection and have notified Network Solutions, a web hosting provider, about it.

The now-disabled widget attempted to serve malware to visitors of parked Network Solutions pages via drive-by-download, Wayne Huang, co-founder and CTO of Armorize, told SCMagazineUS.com on Monday.

The malware is customized to monitor a user's web browsing. It pops up ads when a user searches for certain popular terms, and attempts to duplicate itself into peer-to-peer directories on a user's computer under popular download names.

The infected widget, which was intended to provide small business tips about Network Solutions sites that were under construction, was served to domains by default when an account holder chose to park their site using Network Solutions' standard "under construction" page.

Based on Google and Yahoo searches, researchers determined that the infected widget had been installed on anywhere from 500,000 to five million parked domains, Huang said.

Armorize researchers discovered the mass infection last week while responding to a question by one of the company's largest customers.

Network Solutions' security team was notified about the infected widget over the weekend and disabled it within three hours, Armorize researchers said in a blog post Saturday.

“We have removed the widget from those pages and continue to check and monitor to ensure security,” Network Solutions wrote in its own blog post Monday.

The company, however, contested the number of affected web pages.

The widget also was available on Network Solutions' small business blog, growsmartbusiness.com or could have been installed via a script offered by widget syndication site, Widgetbox. Network Solutions recommended users who have downloaded the widget to their sites to delete it and scan the site for malware.