When cybercriminals get down to business, they love to hit the soft spots of the web. They seek the places where it’s easiest to do widespread damage. Millions of internet users likely learned this lesson the hard way when they encountered a “Small Business Success Index” survey widget that had been overrun by hijackers and was actually installing a variation of the Koobface worm onto any computer that encountered the survey. Network Solutions was unknowingly playing host to the dangerous widget. The best antivirus 2010 programs out there have their work cut out for them.
Wayne Huang, a cyber security researcher at the firm Armorize, was the first to catch onto this malicious new threat. Alarmingly, he believes that this particular attack might be the largest ever group of sites that is distributing malware to the computers of unsuspecting Web surfers. The survey widget was overrun by hijackers that programmed their destructive code into the main code of the program.
Huang says that the infection can be found on every Network Solutions parked domain. Sites that have been registered but not updated are called parked domains by Network Solutions and many other registration services. Every parked Web site belonging to Network Solutions contains the Small Business Success Index widget, complete with the dangerous Koobface variant that is unleashing havoc on the computers of visitors unfortunate enough to encounter the parked domains. Huang says, “These are just parked domains, but this is a record for sure. It’s definitely a new type of attack.” That means that the number of infected sites, no one is really sure how many sites were actually infected, reports are coming in quoting anywhere from 150,000 to 500,000 and even up to 5,000,000 infected sites.
Huang did his part to curb the attacks by warning Network Solutions about the malicious code installed in their widget. As of this weekend, Network Solutions had swiftly removed the widget from these parked domains. Other sites may not be so lucky. The widget is featured on other sites such as Google Blogger platform, Linkedin, Facebook, and Twitter, meaning that the likelihood of encountering the dangerous code is still very much a reality for all Internet users.
The Koobface malware spies on browser activity when users search Web sites. Based on these search terms, pop-ups are activated. The malware also performs another type of attack technique, called “phoned home,” that dishes to a command-and-control server that updates it for other ill-meaning reasons. For now, the spreading of the virus is mostly under control, but there are still millions of computers around the world that have already been infected. Most of these users will not known they’ve been infected until it’s too late and their software is beyond repair. Antivirus Help Center encourages all web users to purchase an antivirus product or update their software immediately, to determine if they have been infected with this or any other malware. Hosting providers still need to be continuously on the alert for these types of attacks.
Huang isn’t completely certain of all aspects the attack just yet. He still has no idea what specific software might be targeted by the code. He notes that Windows XP and Internet Explorer 6 are particularly susceptible to attack. Huang concludes by saying, “It’s a very efficient way to infect a very large number of domains. This is definitely one of the biggest mass scale drive-by-download attacks that we’ve seen.” The Antivirus Help Center has even more alarming news for Internet users: we have researched and found that less than half of the antivirus programs available today are able to detect the attack.
To find the best virus protection software to protect you against these types of malware attacks and more, see our antivirus solutions page for our list of top-rated antivirus programs.