On CBS MoneyWatch: Reggie Bush vs. racehorse: Who's faster?
BNET Business Network:
BNET
TechRepublic
ZDNet

February 2nd, 2007

Super Bowl stadium site hacked, seeded with exploits

Posted by Ryan Naraine @ 11:21 am

Categories: Botnets, Exploit code, Spyware and Adware, Viruses and Worms

Tags: Site, Ryan Naraine

The official Web site of Dolphin Stadium, home of Sunday's Super Bowl XLI, has been hacked and seeded with exploit code targeting two known Windows security flaws.

In the attack, which was discovered by malware hunters at Websense Security Labs, the server hosting the site was breached and a link to a malicious JavaScript file was inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit the vulnerabilities.

According to Dan Hubbard, senior director, security and technology research at Websense, the malicious site hosting the script has been taken offline by law enforcement officials but the hacked Dolphin Stadium site — which is attracting a lot of Super Bowl-related traffic — is still hosting the malicious JavaScript.

Source code of hacked Dolphin Stadium Web site.

A visitor to the site with an unpatched Windows machine will connect to a remote server registered to a nameserver in China and download a Trojan keylogger/backdoor that gives the attacker "full access to the compromised computer," Hubbard said.

Sources tracking the threat say the the hosted malware's server host's IP address address keeps changing. This means that unless the owner of the hacked site removes the malicious .js code and secure their server, exploits could start hitting unpatched visitors again.

The attackers are exploiting flaws patched in Microsoft's MS06-014 and MS07-004 bulletins.

[Updated: February 2, 2007 @ 2:42 pm] The dolphinstadium.com Web site has been cleaned but new information suggests another variation of the domain, which redirects to the main site, has now been compromised and actively serving the exploits. "We're not out of the woods yet. This is real-time and on-going," a source said.

Websense has posted an advisory with screenshots.

The most important thing right now is to make sure your Windows machine is fully patched. Users can download and install the updates from Microsoft Update or the built-in Automatic Updates mechanism.

[Updated #2: February 2, 2007 @ 5:13 pm] All the affected Miami Dolphins sites (see Alexa traffic data) have now been disinfected but there is evidence that hundreds of other sites have been hijacked and rigged with the malicious JavaScript code. I've confirmed that the one-line code has been planted on an internal page of the U.S. government's Centers for Disease Control and Prevention Health Marketing site.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 164 Talkback(s)
What's disquieting is...
...that China seemingly couldn't care less about any kind of IP rights, electronic piracy, or being a hacker-haven. We in the USA should be doing some serious thinking before allying our business futu... (Read the rest)
Posted by: archetuthus Posted on: 03/09/07 You are currently: a Guest | | Terms of Use
What I find to be disquieting  GuidingLight | 02/02/07
Why should the admins check?  John L. Ries | 02/02/07
MS said it was  G Fedorchuk | 02/03/07
Does your statement display  GuidingLight | 02/03/07
Help Wanted  timcarlo | 02/02/07
They were alerted since Jan 31  Ryan NaraineZDNet Moderator | 02/02/07
Crackers' Paradise  ksarkies | 02/02/07
What's disquieting is...  archetuthus | 03/09/07
So, did Gates lose that bet he made in Newsweek? wink [nt]  olePigeon | 02/02/07
When Ignorance Becomes Criminal Negligence  archetuthus | 02/02/07
I'm with you.  guygo | 02/02/07
When Ignorance Becomes Criminal Negligence Pt. 2  Hard Cider | 02/02/07
My biggest grip with Microsoft has always been...  jasonp@... | 02/03/07
Linux people are anti-football too...  Mike Cox | 02/02/07
Take a deep breath, Mike, and calm down!  dshans@... | 02/02/07
You have it all wrong....  shawkins | 02/02/07
Point taken ...  dshans@... | 02/04/07
weak.  nix_hed | 02/02/07
Another good one. 8.0  John L. Ries | 02/02/07
*Sigh*, I confess...  Zogg | 02/02/07
Point deducted 7.5  klumper | 02/03/07
"Windows" or "Internet Explorer" exploit?  Resuna | 02/02/07
Many I.E. exploits are also Firefox exploits.  Narg | 02/02/07
I'm curious  phburks | 02/02/07
VML and ADODB  Ryan NaraineZDNet Moderator | 02/02/07
Here here  william.schindler@... | 02/02/07
Message has been deleted.  TacoSauce | 02/02/07
MAC OS X is the way to go  brichter | 02/02/07
but that's what the firewire ports are for...  nix_hed | 02/02/07
Crap OS X is the way to go.. NOWHERE  Mectron | 02/02/07
Have you ever used a modern Mac OS X computer?  Joel R | 02/02/07
Such as?  ye | 02/02/07
Alright, it's challenge time.  Joel R | 02/02/07
You didn't answer the question.  ye | 02/02/07
Until ZDnet TalkBack allows embedded images and animations,  Joel R | 02/02/07
How can I take the challenge?  Media-Ted@... | 02/02/07
You still didn't answer the question.  ye | 02/03/07
RE: Have you ever used a modern Mac OS X computer?  SGIOctane2 | 02/02/07
Not true.  Joel R | 02/02/07
Where's the Vista malware?  ye | 02/03/07
Yes, I have tried to use them...  Media-Ted@... | 02/02/07
Because  UbiquitousGeek | 02/02/07
Bull  wizardb@... | 02/02/07
You're right, it does sound bad!  stball@... | 02/02/07
MAC OS JERK  hoaxbuster | 02/03/07
SOOOOOOO....  bumberfsck | 02/02/07
Just like in politics  frgough | 02/02/07
Not Likely  bumberfsck | 02/02/07
Windows 2000  bstevens@... | 02/02/07
And where...  bumberfsck | 02/02/07
It's running IIS 5.0  ye | 02/02/07
Doubtfull  jbaviera@... | 02/02/07
Doubtful? What is doubtful?  ye | 02/02/07
Just like in politics indeed  schneb | 02/02/07
Looks to me like it is an MS host  error@... | 02/02/07
It's Windows Server 2000  macpipkin | 02/02/07
A more scientific approach...  SpikeyMike | 02/05/07
thats what i thought...  brokndodge@... | 02/03/07
It's Windows 2000 running IIS 5.0  ye | 02/03/07
Message has been deleted.  mdragonxc2003 | 02/02/07
Maybe the problem is information warfare....  jlafitte | 02/02/07
Excellent observation  Recce1 | 02/02/07
Perhaps you're onto something...  spyro17@... | 02/03/07
not quite that simple  patibulo | 02/05/07
VERY Inaccurate title email title!  shane@... | 02/02/07
Very inaccurate  bumberfsck | 02/02/07
I agree...  JonnyZ | 02/03/07
Here's a better idea...  UbiquitousGeek | 02/02/07
Thankful for MAC OS X  ajh3 | 02/02/07
Windows / Mac / Linux  beermaster2003 | 02/02/07
P.S.  beermaster2003 | 02/02/07
To Both of your posts  jbaviera@... | 02/02/07
Same-old same-old...  handydan918 | 02/02/07
hardware drivers? check this out!!  Arm A. Geddon | 02/02/07
also, some other big news not mentioned at ZD dot NET.  Arm A. Geddon | 02/02/07
re: some other big news ...  chekmarx@... | 02/03/07
What about the exploits Microsoft know about but waits to fix?  slim-01 | 02/02/07
Do not all OS manufactures  GuidingLight | 02/03/07
Microsoft has a history of knowing about not just bugs but exploits  slim-01 | 02/04/07
blah blah blah  zoroaster | 02/02/07
Anyone who uses "WinDos" lacks credibility.  ye | 02/02/07
OK,  Cardinal_Bill | 02/02/07
Pure fluff? What do you want Microsoft to do?  ye | 02/02/07
I'm not asking  Cardinal_Bill | 02/02/07
Make whatever excuses you want.  ye | 02/02/07
Ye?  Cardinal_Bill | 02/02/07
Hey while we're at it...  Cardinal_Bill | 02/02/07
Give you a number?  ye | 02/02/07
How about not waiting to fix things until after it has caused a problem?  slim-01 | 02/02/07
Fix was already out...  ye | 02/02/07
I was clearly refering to all the exploits Microsoft has yet to plug.  slim-01 | 02/02/07
Just facts, no games.  ye | 02/03/07
Re: At this time there are no known exploits for Vista.  slim-01 | 02/03/07
How is it spin slim?  ye | 02/03/07
I may have found the issue  GuidingLight | 02/03/07
No, he said...  Cardinal_Bill | 02/04/07
lol  ye | 02/04/07
One flaw has already been found; the 'clever' speech interface as I recall  HypnoToad72 | 02/03/07
Very true.  GuidingLight | 02/03/07
Lets use some common sense ok!!!  beermaster2003 | 02/07/07
Talk about  bumberfsck | 02/02/07
Assuming it's the truth  DannyO_0x98 | 02/02/07
!  beermaster2003 | 02/07/07
True but  wizardb@... | 02/02/07
How can you make such a claim?  ye | 02/02/07
On this, ye is both right and wrong.  Joel R | 02/02/07
Please don't put words in my mouth.  ye | 02/03/07
Windows Server 2003 with eye candy...  macpipkin | 02/02/07
Not really  toadlife | 02/03/07
and if you did real research you would find that reason is not what you say  slim-01 | 02/02/07
(nt)Any sources for your claims slim?  toadlife | 02/02/07
The burden of proof is on him he made the orginal claim  slim-01 | 02/03/07
Part 2. Please read the original comment. He basically said  slim-01 | 02/03/07
Don't feed the trolls.  toadlife | 02/03/07
Then their is no way to prove Linux is secure.  slim-01 | 02/03/07
Linux is secure  toadlife | 02/03/07
?  beermaster2003 | 02/07/07
*ding* *ding* *ding* We have a winner.  HypnoToad72 | 02/03/07
Becauase we do have more than half a brain,  SpikeyMike | 02/05/07
*nix  beermaster2003 | 02/07/07
Known Exploits  projectnetsafe | 02/02/07
Center for disease control becomes center for disease infection  georgeou | 02/02/07
Hey George  bumberfsck | 02/02/07
Who gives a Rats Ass  Cardinal_Bill | 02/02/07
The server has nothing to do with it.  Joel R | 02/02/07
The server was hacked  error@... | 02/02/07
Not really.  Cardinal_Bill | 02/02/07
So you admit the server was hacked  error@... | 02/02/07
I'd say it's almost a given...  Cardinal_Bill | 02/02/07
And I'll add...  Cardinal_Bill | 02/02/07
yuppers  beermaster2003 | 02/07/07
That depends on how it was hacked.  Joel R | 02/02/07
Are you serious?  SpikeyMike | 02/05/07
What's scary is...  interested_amateur@... | 02/02/07
CDC disinfects page  Ryan NaraineZDNet Moderator | 02/03/07
Here, here !  william.schindler@... | 02/02/07
Perfection!  Confused by religion | 02/03/07
It's on a windows server....  Mercat | 02/02/07
Look at how this site downplays the incident  Mr. Big | 02/02/07
down played?  t00 m4d f00 | 02/03/07
Part 2. Please read the original comment. He basically said  slim-01 | 02/03/07
Hit wrong button should have been above  slim-01 | 02/03/07
Why does it have to be proportional?  ye | 02/03/07
Because what other method can you use to detirmine it.  slim-01 | 02/03/07
You didn't answer the question so I'll repeat it  ye | 02/03/07
and I will repeat my answer. It is the only way we have to tell.  slim-01 | 02/03/07
I am experienced with Linux  ye | 02/04/07
Experienced Not.  slim-01 | 02/05/07
They're 10 year old comments because...  ye | 02/05/07
One more thing...  ye | 02/05/07
Tackling your technology buddies  sergiovf@... | 02/03/07
Kick the football Charlie Brown  jkerr | 02/03/07
Which is why I no longer support Windows systems  slim-01 | 02/03/07
LOL!  ye | 02/03/07
You have been hearing this for years? and yet you still don't listen.  slim-01 | 02/04/07
Not a fanboy...just a realist  ye | 02/05/07
lack of what?  ttocsmij | 02/13/07
I couldn't agree more ...  chekmarx@... | 02/03/07
Req: Proof of CDC hack  speer@... | 02/03/07
Google search  Ryan NaraineZDNet Moderator | 02/03/07
This sounds quite funny considering  Atomic1fire | 02/03/07
911 zen  OSXman | 02/04/07
User account information revealed  pingu@... | 02/08/07
Artrage  ericseba | 02/08/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here