Incident Details

Incident: Malicious Widget on Network Solutions' Parked Domains Causes Malware Attack

Published Date: 2010-08-16

Postmortem Analysis
Timeline	1. The software failure incident happened over the weekend, as mentioned in the article. 2. The article was published on 2010-08-16. 3. Therefore, the software failure incident occurred on the weekend before 2010-08-16, which would be August 14-15, 2010. Therefore, the software failure incident happened on the weekend of August 14-15, 2010.
System	1. Network Solutions' "Small Business Success Index" widget from GrowSmartBusiness.com site 2. Malicious script targeting IP addresses from Taiwan and Hong Kong 3. Internet Explorer 6 on Windows XP
Responsible Organization	1. Malicious actors who embedded the malware in the "Small Business Success Index" widget [2754] 2. Network Solutions for hosting the widget on their site without proper security measures in place [2754]
Impacted Organization	1. Parked domains from Network Solutions displaying "page under construction" messages were impacted by the software failure incident [2754].
Software Causes	1. The software failure incident was caused by the embedding of malware in the "Small Business Success Index" widget from Network Solutions' GrowSmartBusiness.com site, which performed a "drive-by-download" and served up malicious scripts targeting specific IP addresses [2754].
Non-software Causes	1. The malicious widget was embedded in the "Small Business Success Index" widget on Network Solutions' GrowSmartBusiness.com site, which was later disabled [2754]. 2. Parked domains from Network Solutions were serving up malware from the widget [2754]. 3. The malware targeted IP addresses coming from Taiwan and Hong Kong, serving up a fake chat message and redirecting to other websites [2754]. 4. The malware performed a "drive-by-download" action, monitoring visited web pages and serving ads based on search queries [2754]. 5. The incident involved parked domains that typically display ads but not custom content [2754].
Impacts	1. The software failure incident led to parked domains serving up malware through a malicious widget, targeting IP addresses from Taiwan and Hong Kong, displaying fake chat messages, and redirecting to other websites [2754]. 2. The malware embedded in the widget performed a "drive-by-download," monitored visited web pages, and served ads based on search queries [2754]. 3. The malware primarily targeted Internet Explorer 6 on Windows XP but could have affected other software as well [2754]. 4. The exact number of affected web pages or domains was unclear, but there were potentially millions of results in search engine listings related to the incident [2754].
Preventions	1. Regular security audits and code reviews of third-party widgets and scripts embedded on websites could have helped prevent the software failure incident by detecting any malicious code or vulnerabilities before they are exploited [2754]. 2. Implementing strict access controls and permissions for adding and modifying widgets or scripts on websites could have prevented unauthorized changes that led to the insertion of malicious code [2754]. 3. Utilizing web application firewalls and intrusion detection systems to monitor and block suspicious activities or malicious traffic could have helped in detecting and mitigating the malware serving from the widget [2754].
Fixes	1. Removing the malicious widget from the affected pages and domains. 2. Conducting a thorough security audit to identify and address any other potential vulnerabilities. 3. Implementing stricter security measures to prevent similar incidents in the future. 4. Providing security patches or updates for affected software versions. 5. Educating users on safe browsing practices and the importance of keeping software up to date to prevent malware attacks [2754].
References	1. Wayne Huang, co-founder and chief technology officer at security firm Armorize [2754]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization	(a) The software failure incident related to the malicious widget serving up malware from parked domains happened again at Network Solutions. The incident involved a malicious code added to a widget on Network Solutions' small business blog, growsmartbusiness.com, which was used to provide small business tips on under construction pages. The widget was later removed from those pages, and Network Solutions' security team continues to monitor and ensure security [2754]. (b) There is no specific information in the provided article about a similar incident happening at other organizations or with their products and services.
Phase (Design/Operation)	design, operation	(a) The software failure incident in this case can be attributed to the design phase. The incident involved a malicious widget embedded in a "Small Business Success Index" widget from Network Solutions' GrowSmartBusiness.com site. This widget, initially used to provide small business tips on under construction pages, was found to contain malware that performed a "drive-by-download" attack, monitoring visited web pages and serving up ads based on search queries [2754]. (b) The software failure incident can also be linked to the operation phase. The malware in the widget targeted Internet Explorer 6 on Windows XP but could have affected other software as well. The malicious script within the widget served up a fake chat message and redirected users to other websites, indicating a failure related to the operation or misuse of the system [2754].
Boundary (Internal/External)	within_system, outside_system	(a) The software failure incident described in the article is primarily within_system. The incident involved a malicious widget embedded in a widget from Network Solutions' GrowSmartBusiness.com site, which was used to provide small business tips on Network Solutions' under construction pages. The widget was found to be serving up malware, including a fake chat message and redirects to other websites, targeting IP addresses from Taiwan and Hong Kong. The malware performed actions like monitoring visited web pages and serving ads based on search queries. The code in the widget targeted Internet Explorer 6 on Windows XP but could have affected other software as well [2754]. (b) The incident also involved outside_system factors as the malware was served from parked domains displaying "page under construction" messages. These parked domains were found to be serving up malware from the malicious widget, which was later disabled. The malware was embedded in the widget and did a "drive-by-download," monitoring web pages visited and serving ads based on search queries. The exact impact on computers when redirected by the malware was unclear, and the company was still analyzing the malware to understand its full implications [2754].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in this case was primarily due to non-human actions. The incident involved a malicious widget embedded in a "Small Business Success Index" widget from Network Solutions' GrowSmartBusiness.com site. This widget, when activated, performed a "drive-by-download" action, monitoring visited web pages and serving up ads based on search queries. The malware targeted Internet Explorer 6 on Windows XP but could have affected other software as well. The malicious script served up a fake chat message and redirected users to other websites without direct human involvement [2754]. (b) Human actions were also involved in this software failure incident. The malicious code was added to a widget housed on Network Solutions' small business blog, growsmartbusiness.com, which was used to provide small business tips on under construction pages. This indicates that the introduction of the malicious code into the widget was a result of human actions. Network Solutions' security team was alerted to the issue and took steps to remove the widget from affected pages and continue monitoring for security [2754].
Dimension (Hardware/Software)	software	(a) The software failure incident did not occur due to contributing factors originating in hardware. The incident was primarily related to software issues, specifically malware embedded in a widget on Network Solutions' GrowSmartBusiness.com site. The malicious script targeted IP addresses from Taiwan and Hong Kong, serving up a fake chat message and redirecting to other websites. The malware performed actions like monitoring visited web pages and serving ads based on search queries [2754]. (b) The software failure incident was primarily caused by contributing factors originating in software. The malware was embedded in the "Small Business Success Index" widget, leading to a "drive-by-download" attack that affected Internet Explorer 6 on Windows XP and potentially other software. The incident involved the serving of malicious content and unauthorized redirection of users to harmful websites [2754].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident in this case was malicious. The incident involved a malicious widget embedded in a "Small Business Success Index" widget from Network Solutions' GrowSmartBusiness.com site. The malware in the widget performed actions such as monitoring visited web pages, serving up ads based on search queries, and targeting Internet Explorer 6 on Windows XP. The malicious script targeted IP addresses from Taiwan and Hong Kong, serving up a fake chat message and redirecting to other websites [2754]. The incident was described as a drive-by-download attack, indicating a deliberate attempt to infect users' systems with malware without their consent.
Intent (Poor/Accidental Decisions)	accidental_decisions	The software failure incident described in Article 2754 was primarily due to accidental decisions. The incident involved a malicious widget embedded in a "Small Business Success Index" widget from Network Solutions' GrowSmartBusiness.com site. This widget was intended to provide small business tips on Network Solutions' under construction pages but was compromised with malicious code, leading to the distribution of malware targeting specific IP addresses and performing actions like monitoring visited web pages and serving ads based on search queries. The incident was not a result of poor decisions but rather an accidental introduction of malicious code into the widget, as indicated by the Network Solutions spokeswoman's statement acknowledging the presence of malicious code and the ongoing investigation to determine the extent of the impact [2754].
Capability (Incompetence/Accidental)	accidental	(a) The software failure incident in this case was not explicitly attributed to development incompetence. The incident involved a malicious widget embedded in a Network Solutions' GrowSmartBusiness.com site, which served up malware targeting specific IP addresses and performing actions like monitoring visited web pages and serving ads based on search queries. The malware was embedded in the widget and did a "drive-by-download," affecting Internet Explorer 6 on Windows XP and potentially other software as well. The incident was analyzed by security firm Armorize, and the exact impact and actions of the malware were still being investigated [2754]. (b) The software failure incident in this case was accidental in nature. The incident involved parked domains from Network Solutions that were found to be serving up malware from a widget that was later disabled over the weekend. The malware in the form of a malicious script targeted IP addresses from Taiwan and Hong Kong, serving up a fake chat message and redirecting to other websites. The incident was discovered by a security researcher from Armorize, and Network Solutions' security team was alerted to the malicious code added to the widget on their small business blog. Network Solutions removed the widget from the affected pages and continued to monitor the situation to ensure security [2754].
Duration	temporary	(a) The software failure incident described in the article seems to be temporary. The incident involved a malicious widget on Network Solutions' GrowSmartBusiness.com site that was serving up malware from parked domains. The malicious script targeted IP addresses from Taiwan and Hong Kong, serving up a fake chat message and redirecting to other websites. The widget was later disabled over the weekend, indicating that the failure was not permanent [2754].
Behaviour	crash, value, other	(a) crash: The software failure incident in the article can be categorized as a crash. The malicious widget embedded in the "Small Business Success Index" widget from Network Solutions' GrowSmartBusiness.com site caused a "drive-by-download" attack, leading to the system losing its state and not performing its intended functions [2754]. (b) omission: The incident does not specifically mention a failure due to the system omitting to perform its intended functions at an instance(s). (c) timing: The incident does not specifically mention a failure due to the system performing its intended functions correctly, but too late or too early. (d) value: The software failure incident can be associated with a failure due to the system performing its intended functions incorrectly. The malware served up fake chat messages, redirected to other websites, monitored visited web pages, and served ads based on search queries, all actions that were not intended functions of the system [2754]. (e) byzantine: The incident does not specifically mention a failure due to the system behaving erroneously with inconsistent responses and interactions. (f) other: The software failure incident can be further described as a security breach leading to the distribution of malware through a widget on parked domains, impacting potentially a large number of websites. The incident involved the exploitation of the widget to serve up malicious content and perform unauthorized actions on users' computers, which is a behavior not covered by the options (a) to (e) [2754].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	theoretical_consequence	(a) death: People lost their lives due to the software failure (b) harm: People were physically harmed due to the software failure (c) basic: People's access to food or shelter was impacted because of the software failure (d) property: People's material goods, money, or data was impacted due to the software failure (e) delay: People had to postpone an activity due to the software failure (f) non-human: Non-human entities were impacted due to the software failure (g) no_consequence: There were no real observed consequences of the software failure (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? Based on the provided article, there were no observed consequences of death, harm, basic needs impact, property loss, or non-human entities being impacted due to the software failure incident. The incident primarily involved the distribution of malware through a malicious widget on parked domains, targeting Internet Explorer 6 on Windows XP and potentially affecting other software. The consequence was mainly related to the potential risk of users' computers being infected with malware through drive-by downloads, leading to unauthorized monitoring of web pages visited and serving up ads based on search queries. The primary focus was on the technical aspects of the incident and the actions taken to address the security threat.
Domain	information	(a) The software failure incident was related to the information industry as it involved a malicious widget embedded in a "Small Business Success Index" widget on Network Solutions' GrowSmartBusiness.com site, which was used to provide small business tips on under construction pages [2754].

Sources

Parked Network Solutions domains served up malware - CNET - Published on: 2010-08-16
Article ID: 2754

Back to List