Topic: Browser

Super Bowl stadium site hacked, seeded with exploits

Summary: The official Web site of Dolphin Stadium, home of Sunday's Super Bowl XLI, has been hacked and seeded with exploit code targeting two known Windows security flaws. In the attack, which was discovered by malware hunters at Websense Security Labs, the server hosting the site was breached and a link to a malicious JavaScript file was inserted into the header of the front page of the site.

By Ryan Naraine for Zero Day | February 2, 2007 -- 11:21 GMT (03:21 PST)

Follow @ryanaraine

The official Web site of Dolphin Stadium, home of Sunday's Super Bowl XLI, has been hacked and seeded with exploit code targeting two known Windows security flaws.

In the attack, which was discovered by malware hunters at Websense Security Labs, the server hosting the site was breached and a link to a malicious JavaScript file was inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit the vulnerabilities.

According to Dan Hubbard, senior director, security and technology research at Websense, the malicious site hosting the script has been taken offline by law enforcement officials but the hacked Dolphin Stadium site -- which is attracting a lot of Super Bowl-related traffic -- is still hosting the malicious JavaScript.

A visitor to the site with an unpatched Windows machine will connect to a remote server registered to a nameserver in China and download a Trojan keylogger/backdoor that gives the attacker "full access to the compromised computer," Hubbard said.

Sources tracking the threat say the the hosted malware's server host's IP address address keeps changing. This means that unless the owner of the hacked site removes the malicious .js code and secure their server, exploits could start hitting unpatched visitors again.

The attackers are exploiting flaws patched in Microsoft's MS06-014 and MS07-004 bulletins.

[Updated: February 2, 2007 @ 2:42 pm] The dolphinstadium.com Web site has been cleaned but new information suggests another variation of the domain, which redirects to the main site, has now been compromised and actively serving the exploits. "We're not out of the woods yet. This is real-time and on-going," a source said.

Websense has posted an advisory with screenshots.

The most important thing right now is to make sure your Windows machine is fully patched. Users can download and install the updates from Microsoft Update or the built-in Automatic Updates mechanism.

[Updated #2: February 2, 2007 @ 5:13 pm] All the affected Miami Dolphins sites (see Alexa traffic data) have now been disinfected but there is evidence that hundreds of other sites have been hijacked and rigged with the malicious JavaScript code. I've confirmed that the one-line code has been planted on an internal page of the U.S. government's Centers for Disease Control and Prevention Health Marketing site.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

164 comments

Log in or register to join the discussion

What I find to be disquieting

is not so much as there are flaws in Windows that users have
left un-patched, but more to the fact that someone could easily
gain access to multiple web servers to install the malevolent script in the first place. Do not the Administrators check to ensure that all vulnerabilities in their own servers are removed?

GuidingLight
2 February, 2007 12:45

Reply Vote
- Why should the admins check?
  
  That would show a definite lack of confidence in the MS-Gurus (it's not a bug until MS say it is).
  
  John L. Ries
  2 February, 2007 13:33
  
  Reply Vote
  - MS said it was
    
    I am unhappy with M$ too, but I have to disagree. M$ said those were bugs and put the patch on the net. The admins screwed up royally.
    
    G Fedorchuk
    3 February, 2007 17:05
    
    Reply Vote
  - Does your statement display
    
    a lack in your understanding of the question asked? If I read your statement correctly, you are implying that you feel it is not an issue that a site can be hacked to insert a malicious line of code it.
    
    I say this as you immediately placed blame on Microsoft for having the vulnerability in it?s Windows Operating system, yet most deftly avoided the fact that the website?s administrators allowed it?s site software to be broken into.
    
    GuidingLight
    3 February, 2007 20:20
    
    Reply Vote
- Help Wanted
  
  Web Developer and System Administrator, Contact The Miami Dolphins Stadium Management Team
  
  timcarlo
  2 February, 2007 14:34
  
  Reply Vote
  - They were alerted since Jan 31
    
    What's even more startling is that they were alerted about the compromise by multiple sources since January 31. They didn't act on it until Websense got into the fray. Look out for a follow-up entry on this.
    
    _ryan
    
    Ryan Naraine
    2 February, 2007 14:43
    
    Reply Vote
- Crackers' Paradise
  
  When I looked at CMS frameworks used for building fancy websites, I read up on one CMS that boasted "With other CMS's a skilled cracker can gain administrator access in 5 minutes. With the advanced security enhancements used in our CMS, it take a cracker at least 15 minutes to get in".
  
  I stuck with a static website - no-one has cracked it yet.
  
  ksarkies
  2 February, 2007 14:47
  
  Reply Vote
- What's disquieting is...
  
  ...that China seemingly couldn't care less about any kind of IP rights, electronic piracy, or being a hacker-haven. We in the USA should be doing some serious thinking before allying our business futures with a country whose government controls how you advertise and much of what your company can do there, yet is essentially immoral and criminal per our naive Western expectations of what govt officials are expected to do.
  
  archetuthus
  9 March, 2007 08:17
  
  Reply Vote
So, did Gates lose that bet he made in Newsweek? ;) [nt]

nt.

olePigeon
2 February, 2007 12:48

Reply Vote
When Ignorance Becomes Criminal Negligence

What company, what technologists--building a site in today's criminal-infested world--leaves a site so unprotected that it exposes millions of visitors to this sort of exploitation?

archetuthus
2 February, 2007 12:49

Reply Vote
- I'm with you.
  
  Fire the IT staff and replace everybody. This is criminal. What a bunch of lames.
  Who hired these guys? People who make money cleaning out infected machines? Argggggh...
  
  guygo
  2 February, 2007 13:53
  
  Reply Vote
- When Ignorance Becomes Criminal Negligence Pt. 2
  
  What company, what technologists--building a site in today's criminal-infested world--creates software that's so unprotected that it exposes millions of visitors to this sort of exploitation?
  
  Ummmmmm....... Microsoft? (Bing-Bing-Bing, You are correct!)
  
  Hard Cider
  2 February, 2007 19:15
  
  Reply Vote
- My biggest grip with Microsoft has always been...
  
  that they've made it too easy to feel like you know what you're doing. Securing any server directly connected to the Internet is not an easy job. It takes constant work, keeping up with known exploits in almost real time. It took me doing it for 6 months the right way to realize being a programmer wasn't that bad after all. At least I could make sure there were no buffer overflow exploits in my own code. As a programmer, I have to worry about my code and the code of my compiler vendor. I don't have to worry about every other piece of software running on the box. Anyway, back to my point.
  
  There are countless paper MCSEs in this country. And then there are countless people who are a one-man IT shop because they can figure out how to hook up a router and share the Internet with the whole office. A lot of these people actually have themselves convinced that they know what they're doing because Windows makes it easy to feel that way. A fourth grader can install Windows Server 2003 from a cd and set up a domain.
  
  I honestly believe that setting up a network should be hard to do. It should be hard because of the likely eventualities having a network will bring around. In this day and age, it's a virtual certainty that if you have a computer network, at some point one of the workstations on that network will connect to the Internet. That's all it takes, and all true professionals have a firm understanding of that. That thought never enters the mind of "those others".
  
  jasonp@...
  3 February, 2007 17:17
  
  Reply Vote
Linux people are anti-football too...

It is now obvious that the Linux crowd is not only anti-capitalist but also anti-football. Anyone who attacks a Windows based site that is hosting a web page for the #1 Sports Event in America is showing their true colors. One of my fellow CIO friends here mentioned something along the lines that the NFL has the money to run UNIX and should do so. This infuriated me to no end. I had my MCSEs and MCSDs dress up in football uniforms and tackle each and raid the building of this fool. I then screamed the new slogan for Super Bowl XLI - "Windows is #1 during Super Bowl 41!".

Mike Cox
2 February, 2007 12:58

Reply Vote
- Take a deep breath, Mike, and calm down!
  
  I'd hate to see you flagged for excessive something-or-other.
  
  Just a couple of things: 1) The Super Bowl is the #1 Sports Event in THE WORLD!
  (Don't get me started on the "futbol" vs. "football" drivel the EU and the rest of the
  Linux-loving, deluded and bitter 3rd world spouts) and 2) Are you writing from the
  VIP Suite you and your Rep are sharing at Dolphin Stadium?
  
  I recommend the conch fritters with a Bacardi Mojito.
  
  dshans@...
  2 February, 2007 13:27
  
  Reply Vote
  - You have it all wrong....
    
    We all know by now that Mike prefers scones, brandy and a good cigar.
    
    >>I recommend the conch fritters with a Bacardi Mojito.<<
    
    shawkins
    2 February, 2007 15:32
    
    Reply Vote
    - Point taken ...
      
      ... but "all" might be a bit harsh! "When in Rome" and all that salsa. I'm sure The
      Coxster and his Rep would have no problemos finding a cigarro muy excelente en
      Miami. I'm not sure, though, that they'd be allowed to enjoy them in a comfort and
      security in their MSFT Box similar to that which Vista assures them in their cyber
      suite.
      
      I, myself, prefer a R?my Martin XO. It works seamlessy, securely and innovatively
      with any scone or cigar. It's the only way to go.
      
      dshans@...
      4 February, 2007 16:18
      
      Reply Vote
- weak.
  
  C'mon Mikey, we all know you can do better than that. "Windows is #1 during Super Bowl 41!"?
  
  Next thing you know, he'll call us UNIX users and admins un-American since we prefer our operating systems over Windows...
  
  nix_hed
  2 February, 2007 13:30
  
  Reply Vote
- Another good one. 8.0
  
  Of course, only the "Linux Crowd" would ever want to hack a Windows based site. Rent-a-mob, of course, has been an acceptable form of political expression since the aftermath of the 2000 presidential election.
  
  John L. Ries
  2 February, 2007 13:30
  
  Reply Vote
- *Sigh*, I confess...
  
  Not only is this 107.32% true, but I can now exclusively reveal that Janet Jackson's wardrobe was running Linux in 2004.
  
  Zogg
  2 February, 2007 13:41
  
  Reply Vote