Over the past few days, there have been widespread reports that parked domains hosted by Network Solutions have been serving up malware, probably for several months. We are definitely glad to see that there is a growing awareness of the threat of web-based malware due to widgets, but one question that seems to be unanswered here is: “what is the true impact of this threat, when compared to say popular widgets or infected web applications?”
In our research at Dasient, we have seen that when popular traffic or audience measurement widgets get infected, for instance, thousands of top-ranked sites can be turned into malware distribution vehicles, and infect hundreds of thousands or millions of users. This begs the question: how much traffic would 500k ‘parked domains’ really get, and how many users are truly infected?
According to Richard Kershaw’s search and affiliate marketing blog, parked domains do not receive much traffic at all. In a July 2009 study Richard wrote:
“1,822,377 domains are parked with Sedo, says DomainTools.com as of 8 July 2009… Sedo’s most recent stats show a mere 25 domains get traffic in double digit per day. By the time we hit domain number 26 in their rankings, we’re in single digits... So 0.001% of domains parked with Sedo get double digit per day traffic. Or to put it another way, 99.999% of domains parked with Sedo don’t hit double digits daily.”
The overwhelming majority of parked domains do not get any traffic on a daily basis, which means that only a limited number of Internet users were impacted by the malware being served at Network Solutions. (Certainly, that may be why the problem was not even noticed for a few months.) In addition, according to Brian Krebs in his latest blog post on the matter, “One potentially limiting factor in this attack was that it seemed to target Chinese Web surfers,” which would further reduce the impact of this attack on end users.
To further underscore the issue here, one should contrast this with the information Dasient published regarding a widget attack against a major traffic and audience measurement provider in May, in which some very large Quantcast 100 sites were impacted, in addition to thousands of other legitimate websites that have significant user base.
Another more impactful example of web-based malware propagation is Gumblar which was a more significant attack as it hijacked many diverse sites (over 80,000 confirmed and distinct sites), and was much more persistent due to its architecture in which it would compromise diverse web sites via stolen FTP credentials, infect clients to steal more FTP credentials, and, in turn, compromise more diverse web sites. In fact, even after six months after the initial outbreak of Gumblar in May 2009, it continued to infect web servers, and there was no "easy" mitigation (like commenting the widget out of a single parked domain template). Also, our research at Dasient concludes that malvertising impacts many more users on a daily basis (1.3 million page views, by our estimates).
So while it’s good that malware found in third-party widgets is being identified and discussed in the community, it is important to look at such attacks in perspective and focus the discussions on the threats that actually have a real impact on businesses and users. Malware injected onto parked domains is unlikely to have the scale and reach of attacks against legitimate websites, such as the Gumblar attack or attacks against widgets used by legitimate websites.
At Dasient, we have been publishing information about the threat of web-based malware and its impact on businesses and users since 2009. We look forward to continuing to share the latest information from our research over the coming weeks and months.