02-02-2007, 09:29 PM
The official Web site of Dolphin Stadium, home of Sunday's Super Bowl XLI, has been hacked and seeded with exploit code targeting two known Windows security flaws.
In the attack, which was discovered by malware hunters at Websense Security Labs, the server hosting the site was breached and a link to a malicious JavaScript file was inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit the vulnerabilities.
According to Dan Hubbard, senior director, security and technology research at Websense, the malicious site hosting the script has been taken offline by law enforcement officials but the hacked Dolphin Stadium site — which is attracting a lot of Super Bowl-related traffic — is still hosting the malicious JavaScript.
A visitor to the site with an unpat[url "http://content.zdnet.com/2346-9595_22-53279-1.html"]![[Image: 53281-525-206.jpg]](http://i.zdnet.com/gallery/53281-525-206.jpg)
[/url]ched Windows machine will connect to a remote server registered to a nameserver in China and download a Trojan keylogger/backdoor that gives the attacker "full access to the compromised computer," Hubbard said.
Sources tracking the threat say the the hosted malware's server host's IP address address keeps changing. This means that unless the owner of the hacked site removes the malicious .js code and secure their server, exploits could start hitting unpatched visitors again.
The attackers are exploiting flaws patched in Microsoft's [url "http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx"][#003399]MS06-014[/#003399][/url] and [url "http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx"][#003399]MS07-004[/#003399][/url] bulletins.
[Updated: February 2, 2007 @ 2:42 pm] The dolphinstadium.com Web site has been cleaned but new information suggests another variation of the domain, which redirects to the main site, has now been compromised and actively serving the exploits. "We're not out of the woods yet. This is real-time and on-going," a source said.
Websense has posted an [url "http://www.websense.com/securitylabs/alerts/alert.php?AlertID=733"][#003399]advisory[/#003399][/url] with screenshots.
The most important thing right now is to make sure your Windows machine is fully patched. Users can download and install the updates from [url "http://update.microsoft.com/"][#003399]Microsoft Update[/#003399][/url] or the built-in [url "http://www.microsoft.com/athome/security/update/bulletins/automaticupdates.mspx"][#003399]Automatic Updates[/#003399][/url] mechanism.
[signature]
In the attack, which was discovered by malware hunters at Websense Security Labs, the server hosting the site was breached and a link to a malicious JavaScript file was inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit the vulnerabilities.
According to Dan Hubbard, senior director, security and technology research at Websense, the malicious site hosting the script has been taken offline by law enforcement officials but the hacked Dolphin Stadium site — which is attracting a lot of Super Bowl-related traffic — is still hosting the malicious JavaScript.
A visitor to the site with an unpat[url "http://content.zdnet.com/2346-9595_22-53279-1.html"]
[/url]ched Windows machine will connect to a remote server registered to a nameserver in China and download a Trojan keylogger/backdoor that gives the attacker "full access to the compromised computer," Hubbard said. Sources tracking the threat say the the hosted malware's server host's IP address address keeps changing. This means that unless the owner of the hacked site removes the malicious .js code and secure their server, exploits could start hitting unpatched visitors again.
The attackers are exploiting flaws patched in Microsoft's [url "http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx"][#003399]MS06-014[/#003399][/url] and [url "http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx"][#003399]MS07-004[/#003399][/url] bulletins.
[Updated: February 2, 2007 @ 2:42 pm] The dolphinstadium.com Web site has been cleaned but new information suggests another variation of the domain, which redirects to the main site, has now been compromised and actively serving the exploits. "We're not out of the woods yet. This is real-time and on-going," a source said.
Websense has posted an [url "http://www.websense.com/securitylabs/alerts/alert.php?AlertID=733"][#003399]advisory[/#003399][/url] with screenshots.
The most important thing right now is to make sure your Windows machine is fully patched. Users can download and install the updates from [url "http://update.microsoft.com/"][#003399]Microsoft Update[/#003399][/url] or the built-in [url "http://www.microsoft.com/athome/security/update/bulletins/automaticupdates.mspx"][#003399]Automatic Updates[/#003399][/url] mechanism.
[signature]
¸.·´¯`·.´¯`·.¸¸.·´¯`·.¸><(((º>
TheAngler BFT Moderator
TheAngler BFT Moderator