Last month the Unmask Parasites blog wrote about attacks using hijacked sudomains of legitimate websites to serve badware.  At the time of that articles publication the attacks had been going on for a month already.  We are still seeing a lot of infected websites pointing back to solk.seamscreative.info (on port 8080) and other sites like it.

The standard attack used in Driveby Downloads required the injection of iframes into normally benign sites however the landing or intermediary sites those iframes pointed to weren't normally registered to benign users.  This represents an interesting evolution of tactics by creating another layer of innocent victim into the network of infections.  The attack has been fairly successful if in the last two months the infected subdomains haven't been taken down yet.  

Considering our own methods of alerting the public to infections it is easy to see why.  The subdomains aren't something the owners will be on the look out for and the DNS registrar likely has no idea that attacks are occurring on their customer base.  According to the blog post at Unmask Parasites the most affected DNS registrar seems to be GoDaddy.  I don't know if this means there is some flaw in their DNS management panel or if legit customers have had their credentials stolen.  Either way this trend warrants more investigation.

UPDATE 7/28: The GoDaddy abuse team has been notified.

In June we released "a report":http://www.stopbadware.org/home/badwebs with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. We released updated in "July":http://blogs.stopbadware.org/articles/2008/07/30/updated-infection-stats and "August":http://blog.stopbadware.org/2008/08/25/top-infected-network-blocks-for-mid-august. Here is another update from early October:

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

Compared to August, we see that Bizland/Endurance has dropped its number of infected sites by nearly 50%, though it still has several thousand, and Google and NetDirect are no longer on the list. GoDaddy is a newcomer to the list. I just got off the phone with the chief information security officer at GoDaddy, who let me know that they are using the list of infected URLs we provided them to notify customers, offer support in cleaning up the sites, identify the root cause of the infections, and develop proactive strategies for preventing and monitoring site compromises in the future.