Wikipedia defines this practice as “an advertising practice used primarily by domain name registrars and internet advertising publishers to monetize type-in traffic visiting an under-developed domain name. The domain name will usually resolve to a page containing relevant advertising listings and links. These links will be targeted to the predicted interests of the visitor and may change dynamically based on the results that visitors click on.”
Or in normal people jargon, random marketing material that is mostly pointless for most people. Typically, our readers immediately navigate away from such pages upon visiting them by accident.
Here’s a screenshot of a typical parking page:
Ugh, was that screenshot necessary?
Well actually, there is something more to this page (or we wouldn’t be blogging about this, would we?)
ThreatSeeker™ has picked up something a little more behind this parking page's austere demeanor. Navigate to the right directory, and we see this:
Well that’s interesting. I’ll bet this isn’t a part of the registrar’s “free parking page” triple-combo package offer when customers sign up for a new domain. The data consisting of URLs is neatly delimited to simplify it for machine processing (how handy!) in the format of:
http:// domain : random port number / random directory / random filename .exe | next URL | and the next URL | ...
What do these URLs do anyway? Let’s find out. They appear straightforwardly enough to be Win32 executables, which upon execution visits other sites that we already have categorized as malicious. Yup, these are certified trojan horse downloaders checking in with their mothership for further orders from The Architect. I mean, the bot master.
So there you have it—there is something more to this parking page than just its poker face exterior. The next time you see a parking page, look again. It might be glitch in the Matrix. Or an innocuous-looking parking page embedded with invisible drive-by maliciousness (hmm, how long before we see that? Remember, you read it here first!)
As a side note, ThreatSeeker™ also monitors the behavior of these trojan downloaders and categorizes the hosts they contact (which more often than not, are their home bases). We knocked politely on this malware's front door with a browser:
But of course, what were we expecting? We need to first see the keymaker for authorization.
Also note the interesting choice of hostname, in the format of “travel.yahoo<something>”. Coincidentally, Yahoo! Inc. too has a hostname looking like that. Now what are the odds of that!
Feedbacks welcome: blog_feedback | at | websense.com
Comments