Network Solutions malcode widget first discovered by VeriSign Trust Seal web site malware scanning
There's a lot in the news right now about the malware distributed from what may be as many as 5,000,000 parked Network Solutions pages. In addition to the earlier article, here's a nice summary from Brian Krebs, and here's one from Elinor Mills of CNET.
The story originally broke from VeriSign Trust Services partner Armorize in a detailed two-part blog (part two here) with a subsequent, also detailed, follow up. In the second Armorize blog post, the team writes,
A few days ago, in response to questions by one of our largest customers, we analyzed a widget by Network Solutions
I happen to know that the large customer in question was the VeriSign Trust Services division of Symantec, and the original source of the discovery was the daily scan for web site malware distribution that we include with our VeriSign Trust Seal.
Since February we have offered web site malware scanning with the standalone version of the VeriSign Trust Seal, and we're in the process of rolling this same functionality out to 100% of the VeriSign-branded SSL customer base. SSL customers who have activated the service receive a daily scan of their web sites, seeking malware distribution, at no additional charge. One of these daily scans identified a malware hit on a VeriSign SSL customer's site. Since we notify the site operator when these incidents occur - complete with identification of the specific page, line of code, and text string in which the malware distribution occurs - the problem almost always is fixed the same day. This particular page hit again for malware the next day and then the day after that, unusual enough that our team started to investigate. As part of that investigation we pulled in Armorize, and the rest is history.
This indicent illustrates a few salient points.
- Web site malware distribution is a scourge on online safety today. As Armorize writes about this attack in its follow up, "We strongly believe that the number of potentially impacted users is high."
- Daily scans are an indispensible part of fighting this problem. Armorize reports that this attack has been live since May. It was not until VeriSign started for roll out widespread malware scanning that anybody discovered it.
- You can't count on the fact that other parties will discover these attacks. Network Solutions now agrees that the widget in question was a distributor of malware and has pulled it down. But what happened during the three months prior to that?
- Businesses need to choose to monitor and manage their own security and not to assume that a hoster or other service provider is getting it right for them. This indicent is not the first of its kind. Just a few months ago we saw a similar malware problem with a number of hosting providers, including Go Daddy. It's clear that businesses can't rely on hosters to manage this problem by themselves. Fortunately, there are solutions like the VeriSign Trust Seal that can make monitoring for malware distribution automatic, simple and affordable and can ease remediation to an attack considerably.