It appears that the website of the Dolphin Stadium (home of Sunday’s Super Bowl XLI) has been compromised, and a malicious trojan downloader was embedded into the website code:
img © websense
From the source:
A link to a malicious javascript file has been inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit two vulnerabilities: MS06-014 and MS07-004. Both of these exploits attempt to download and execute a malicious file.
The file that is downloaded is a NsPack-packed Trojan keylogger/backdoor, providing the attacker with full access to the compromised computer. The filename is w1c.exe and its MD5 is ad3da9674080a9edbf9e084c10e80516
We have notified the owner’s of the site, but the site is currently still malicious.
So heads up to Superbowl fans who use Windows – stay clear of that website!
Big congratulations to the webmaster. This is a class A fail. Good job there buddy.
[tags]superbowl, footbal, webmaster, website, security, dolphin, dolphin stadium, trojan[/tags]
How did you come across this?
Seems like an obvious code apart from the rest.
I found it through websense security alerts. It’s one of the worst breaches of this type I haves seen in a while – especially considering that tomorrow is the Superbowl and they still haven’t fixed it.
I wouldn’t say it is entirely obvious – it probably would be relatively easy to miss if you didn’t pay attention to all the javascript imports in the header files. Still, it’s no excuse.
How does that work? (I hate the people that say that in forums, but I’m not really into java that much.) And all I know about headers are that they’re the address of everything about the email you get. And by the email you can obtain an IP. Header’s are stored in javascript??
That’s priceless Luke. It goes to show you that even website you assume are safe, have the potential to be dangerious.
link
Huh?
No, I meant that you would usually put all of this kind of stuff (ie. declarations of all the javascript scripts that you will use on the page, references to stylesheets, top of the page graphics, the navigation menus and etc..) into some sort of header file and then import it at the top of each page.
Usually the header files won’t change that often – and if I was trying to compromise a website I would try to find such a file and then insert my malicious script there – this way it would appear on every single page of the website.
Then there of course are the email headers, and the html headers. Every HTML server sends a set of headers with each page. They tell the browser how to render the page properly. For example the headers of this website are:
HTTP/1.1 200 OK
Date: Sun, 04 Feb 2007 02:25:32 GMT
Server: Apache/2.0.54 (Unix) PHP/4.4.4 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_fastcg
i/2.4.2 DAV/2 SVN/1.3.2
X-Powered-By: PHP/4.4.4
X-Pingback: http://www.terminally-incoherent.com/blog/xmlrpc.php
Set-Cookie: bb2_screener_=1170555933+69.249.57.64; path=/blog/
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF
I guess the easiest way you can see the headers using the text browser lynx:
lynx -head http://example.comEmail headers are similar but they contain additional information about the servers the email visited, the sender, email client that was used to send it and etc..
Regarding the IP – there are many ways to find it. For example, each time you load a page in your browser, it sends out a HTTP request to the server. This request contains your IP, the page you wish to view and some other info. The server then sends you back the page so you can view it.
So if you browsed my site I can find out your IP address (and by that your ISP), what kind of browser do you use, what kind of OS you are running and etc..
Javascript is a scripting language that can be used to do all sorts of fancy stuff with web pages. For example – if you go to Google Maps, you can drag the map to move it around – that’s done using javascript. Similarly the dots game I posted is also javascript.
You can also use javascript to trigger a download of a malicious trojan on an unpatched windows machine using IE – which is what happened in this case.
Ze – this one is a biggie. I suspect that there will be quite a few people hit by this.
They picked a perfect time to do this, and their web staff doesn’t seem to be “on the ball” so to speak :mrgreen:
Elephantman – I fixed the link you tried to post. It goes:
<a href=”url”>link text</a>
Not sure how that site is relevant to the topic at hand though. :| If you want to share a cool link, just email it to me or something.
There’s a lot you wrote there…I knew java could do that. Instead of opening another url, it happens all in the same page. I tried to give a link, but I never code that often, http://www.widgipedia.com/. This page is Java right? (just read your email, thanks for fixing.) Don’t know your email, haven’t really looked around much for it, just put it in the comments…nice site; I know it’s not relevant, I apologize. I just don’t understand how someone unauthorized can change the header without the Admin knowing.
I’ve always been more interested in hacking software then webpages. People do this for what reason? Ah, they’re just really bored. Now compromising a system on hands is more fun.
No worries.
Well, yes that page does have some Javascript.
Btw – Javascript and Java are very different. Javascript is a scripting language developed by Netscape. It is mainly used for making web pages do cool stuff. Java is a full fledged programming language by Sun that can be used to write applications or powerful server side backends.
Well, first you compromise the server. The Dolphin Stadium seem to be running IIS 5.0 and ASP 1.1.4. Ops, it’s a windows machine!!! Most likely unpatched.
Chances are that there are plenty of remote exploits you could use to take over that box. Once you’re in, you just do whatever. :)
It’s the same thing really. To “hack” a webpage you need to gain control of the server on which it is located. You you are really exploiting the underlying software.
Whelp, my fav Bittorrent site (Demonoid) just crashed. And that is lame indeed.
So; just reading what you’re saying. Linux is better.
Well, yes and no. IIS is notoriously exploitable unless locked down properly. Unpatched windows can also be an easy target.
But then again Linux can also be easily exploited if you are running an old version of Apache, and old ssh server and etc…
Thank you much, for the information. I will look more into IIS when I have the time.
Dinner is almost ready so…
And I hope you liked the widget site. LSTM
Yet another fine reason to run something beside Windoze . . .
Heh – I wonder if that trojan is “Vista Ready” :P