Network News

X My Profile
View More Activity

Super Bowl Site Trojan Aims to Nab Passwords

This story was updated at 3:02 p.m. Please read the entire post. -- The official Web site of Dolphin Stadium -- the location of this weekend's Super Bowl XLI game -- has been infected with a Trojan horse program. The virus seeks to download keystroke-logging software on Windows machines if users visit the site without the latest security updates from Microsoft, security experts warn.

Websense said the site still hosts the virus, and it advises people to steer clear of the site for now. The Trojan tries to use two different exploits to break into Windows PCs; one of them was fixed by a patch Microsoft issued just last month.. It is clear that the bad guys are counting on major traffic to the site this weekend. According to Websense, the site is receiving a large number of visitors, thanks in part to some Super Bowl search terms that prominently link to the site. According to Web traffic-monitoring firm Alexa, the stadium site receives about 784,000 hits per week.

If you haven't been diligent about applying Microsoft patches, please take a moment to do that now by visiting Microsoft Update.

Microsoft always advises consumers to better protect themselves by visiting only "trusted sites." However, this type of attack highlights that even popular consumer sites can harbor serious problems. High-profile Web sites like Dolphin Stadium's should do even a rudimentary security review to thwart this type of attack.

Update, 3:02 p.m. ET: Stadium spokesman George Torres now says the site has been cleaned up. I've confirmed his claims with a few outside experts. It also appears that the same virus may have been seeded into other sites. The main "podcasts" page on the Web site for the Center for Disease Control and Prevention appears to have been infected at some point (ah, the irony). It is unclear when that could have occurred, and it does not appear to be there now. The folks at CDC are checking on the situation. There obviously are multiple sites currently infected with this Trojan, so make sure you're up to date on Microsoft patches.

This attack depends on the user allowing Javascript computer code to run in the browser. I often plug the "noscript extension for Mozilla's Firefox browser, which helps block this attack even on machines that do not have the patch.

By Brian Krebs  |  February 2, 2007; 1:26 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Retailers, Banks Trade Blame in Data Thefts
Next: Microsoft to Support OpenID

Comments

This is why de-lousing Windows boxes is becoming a full-time business. I just did one that was shipped from Dell Dec 15th -- infected on or about Jan 23. It had Norton Internet Security (which I've now unloaded) but an older version of Java that went un-updated even though it was set to automatically do so.

This is a crime spree of un-paralleled proportions. An un-infected Windows machine is now an anomaly.

From out here on the ground, this appears to be big headlines that is not being covered by the media.

Posted by: Radardan | February 2, 2007 1:45 PM | Report abuse

"...an older version of Java that went un-updated even though it was set to automatically do so."

After they received their $38B from MS in settlement, Sun appears to have adopted the same "Trustworthy Computing Initiative"; just as reliable, too.

Trust them as much as you do MS.

.

Posted by: J. Warren | February 2, 2007 4:41 PM | Report abuse

The problem with the Java updates is that if provides a newer version, but leaves the old one resident. Older versions can be requested by the code, exploiting the vulnerability. I would have been better if the MS Java VM was still resident, as at least it would be handled by Microsoft Update.

The problem here is people either A) not updating (which there is no excuse with automatic updates) or B) faulty security applications such as the Norton/Symantec (which has actually been used to spread infestations.)

Posted by: Tim Provencio | February 2, 2007 5:13 PM | Report abuse

Sun has to better clean up their Java installs.. they're a mess.

Posted by: HarryD | February 2, 2007 5:49 PM | Report abuse

Heavily trafficked websites make great targets - especially if their administrators are too slow or lazy to keep their box up-to-date. Looks like its not Microsofts fault if you pick up this Trojan horse - the fix was given out awhile ago. But then again, maybe our government put it on the site - to protect you, of course... Maybe do a FOIA on the NSA, FBI, NFL and the Pres to see what they say about it.

Posted by: Citizen | February 2, 2007 6:20 PM | Report abuse

Why aren't the telecom guys responsible for the propagation of viruses, worms, etc... over the Internet? Seems to me they are the gate keepers for the whole bit (I pay them to get online) so they should be responsible for managing these things. It seems unreasonable, and makes no sense at all that all PC's (regardless of OS, browser, etc..) should be guarding against viruses when the problem can be stopped at the carrier switch level.

Posted by: Carriers | February 2, 2007 6:50 PM | Report abuse

I am always reminded of how nice it is to use Apple Mac!!!

Posted by: William | February 2, 2007 9:20 PM | Report abuse

"Why aren't the telecom guys responsible for the propagation of viruses, worms, etc... over the Internet? Seems to me they are the gate keepers for the whole bit (I pay them to get online) so they should be responsible for managing these things. It seems unreasonable, and makes no sense at all that all PC's (regardless of OS, browser, etc..) should be guarding against viruses when the problem can be stopped at the carrier switch level."

Because that in it self would be an issue with net neturallity. In order to help save the consumer, the telecom would have to log user's downloads and visits. I don't want the telecom, or any other company, interfering with what I do online.

Posted by: Net Surfer | February 2, 2007 9:21 PM | Report abuse

Looks like Google's cache is showing infections only going back to February 1st. I guess it could have went back even further.

Posted by: David Taylor | February 3, 2007 10:11 AM | Report abuse

"Why aren't the telecom guys responsible for the propagation of viruses, worms, etc... over the Internet? Seems to me they are the gate keepers for the whole bit (I pay them to get online) so they should be responsible for managing these things. It seems unreasonable, and makes no sense at all that all PC's (regardless of OS, browser, etc..) should be guarding against viruses when the problem can be stopped at the carrier switch level."

"Because that in it self would be an issue with net neturallity. In order to help save the consumer, the telecom would have to log user's downloads and visits. I don't want the telecom, or any other company, interfering with what I do online."

Not exactly true... messages and attachments with mal ware attached or imbedded could be trashed without knowing user info. The message could simply be deleted or the user could be notified if they want to be nice. The reason they don't do it is that NO ONE IS FORCING THEM TO DO IT. All carriers are government regulated so they don't do anything that they aren't forced to do. And our congress persons and state legislators are
paid by them thru political contributions to keep it this way.


Posted by: garykirk | February 3, 2007 12:00 PM | Report abuse

There is a reason why 94% of the world doesn't use Apple, and they had plenty of time to switch if they needed to.

I own 4 PCs and haven't seen a virus in 3 years, I have no antivirus; if you get virus infections you either turned of MS update, own a pirated copy of MS, or are watching too much porn. Either way, it's probably time to switch to a Mac, the girlfriend that just dumped you for your ignorance won't mind. Fair enough ?

Good ;-)

Posted by: Vinny | February 3, 2007 12:38 PM | Report abuse

Well, once again, I am pleased to be running Firefox with No-Script.

Posted by: sly | February 3, 2007 1:18 PM | Report abuse

I can easily assure you that if 94% of the world used Apple, Apple would be the major target, and plenty of security holes would be revealed. Regardless, anyone suggesting that Apple has no holes, or anyone suggesting that viral responsibility lies anywhere other than the virus creators/spreaders themselves (penalties need to be stiffened), you are naive and wasting our time.

Posted by: 1Taz | February 3, 2007 2:04 PM | Report abuse

Let's all thank Vinnie (above) for his helpful, logical, and fact-based comment. Not.

I've been an admin on MS systems that got infected (within minutes post-install) when connected to the 'net because they didn't have anti-virus and the latest updates installed. (This was years ago, before I made my default security setting "paranoid.") I've worked on systems as an IT consultant that somehow got infected, even with apparently knowledgeable end-users, usually because of no anti-virus or no recent updates.

MS has responded to the seemingly exponential growth in virus/malware on MS-based systems by improving their security patching and updating. They put out fixes more quickly these days, and they are to be commended for that. They face a daunting task. Since MS has a near-monopoly in the end-user OS market and is dominant in the business server market, this makes their software a target for malware that other OSes (Mac OS, Linux, *BSD, OpenVMS...) aren't. The bullseye is painted on Microsoft's forehead.

But often it is a month or more before a MS update is posted to fix a known and publicly announced vulnerability. Because of this, anyone who runs MS without excellent real-time anti-virus protection is asking for their system to get broken into, even if they just ran Windows Update. The remote keyloggers are what scare me most these days.

So, anyone reading this, _PLEASE_ ignore Vinny and download/buy an anti-virus pacakge that has a good recent reputation. Keep your virus software updated every day, too. Don't let someone turn your home PC into a spam-factory or warez storage drone, much less steal your identity, your credit, your money. Please do this if you run Windows.

System Engineer from Blacksburg.

Posted by: SystemEngr | February 3, 2007 2:27 PM | Report abuse

Vinny,
I'd bet $1000 that if you really don't have AV installed on your computer, that you DO have a virus or some other form of malware right now. A windows xp box can get infected within 10 min of being connected to a high speed connection. Just because your computer isn't crashing or has a serious fault, doesn't mean that you don't have a keylogger or a zombie or something that you might never notice. You are nuts if you don't have

AntiVirus
Firewall(not the horrible windows firewall)
AntiSpyware
and you regularly update windows.

Someone is eventually going to steal your identity, use your internet connection to send out spam, child porn, whatever. There are a myriad of attacks out there.

Posted by: Connor | February 3, 2007 3:41 PM | Report abuse

I'll 2nd SystemEngr's comments. I run a help desk at a major university and have found rootkits and hackware that actually protect their host computer from other invaders. They've hijacked your computer, and have set up their own sentries to guard against other hackers.

So, your infected computer can appear to be free of infection due to one set of bad guys keeping the rest of the bad guys out.

As SystemEngr said, you have only a few minutes on the Internet, with an unprotected computer, before it's attacked. If the attacker is good, they've got your computer as a host for their purposes, and you may never know it (until you install good anti-virus (anti-threat may be a better term) software).

There are vulnerabilities in all computer code (operating systems, web browsers, spreadsheets, etc.). Windows alone contains close to 50 million lines of code - there's a lot of places to hide in there. If you don't bring in an agent to sniff out the invaders and protect you from them, you're likely to become a victim of an attack.

Posted by: HelpDesk | February 3, 2007 4:05 PM | Report abuse

in setting up a new laptop, and configuring web connections, I used firefox latest version 2.0.0.1 and went to and bookmarked washington post. when i tried to sign in, there was a message that the browser should be set to accept cookies, and for mozilla/firefox. - the instructions given was to go to 'edit', then preferences, then privacy etc to allow cookies.

in fact, at present in firefox this is done via options, under tools. and i had already set up firefox, and yet could not sign in. i had to use opera!

hopefully the webmaster of washington post will reconfigure his instructions.

Posted by: Raghavan | February 4, 2007 10:51 AM | Report abuse

in setting up a new laptop, and configuring web connections, I used firefox latest version 2.0.0.1 and went to and bookmarked washington post. when i tried to sign in, there was a message that the browser should be set to accept cookies, and for mozilla/firefox. - the instructions given was to go to 'edit', then preferences, then privacy etc to allow cookies.

in fact, at present in firefox this is done via options, under tools. and i had already set up firefox, and yet could not sign in. i had to use opera!

hopefully the webmaster of washington post will reconfigure his instructions.
c.raghavan

Posted by: C.Raghavan | February 4, 2007 10:52 AM | Report abuse

>>This attack depends on the user allowing Javascript computer code to run in the browser.

To be more accurate: This attack depends on Microsoft having made (mistaken IMO) policy decisions about what IE's factory-default security settings--for the Internet zone, in particular--should be, and the user "allowing Javascript computer code to run" by not changing them.
http://windowssecrets.com/comp/061026#story1

Radardan,

Just out of curiosity: How did Java get installed onto that machine? I thought that a clean install of XP SP2 didn't include any Java VM. Is Dell now shipping XP SP2 instances with Java installed?
http://www.microsoft.com/mscorp/java/faq.asp
>Is there a way to ensure that a computer does not include the MSJVM?

>>An un-infected Windows machine is now an anomaly.

. . . You called? :-)

@1Taz:
>>if 94% of the world used Apple, Apple would be the major target, and plenty of security holes would be revealed.

Be that as it may, "revealed" is not the same thing as "exploited".

Posted by: Mark Odell | February 4, 2007 12:22 PM | Report abuse

Since the proliferation of spam appears to be coming from thousands of captured bots, is there a way that we could all be informed how to get a message back to the bot that sent a spam to one of us? That would put the bot owner on notice that he had a problem.
R Richardson

Posted by: R Richardson | February 4, 2007 1:34 PM | Report abuse

Meanwhile, as you guys continue the debate, in your spare time you might want to check out these 2 ISC entries:

- http://isc.sans.org/diary.html?storyid=2151
Last Updated: 2007-02-03 16:11:29 UTC

- http://isc.sans.org/diary.html?storyid=2166
Last Updated: 2007-02-04 21:17:53 UTC

...Your customers might appreciate it.

.

Posted by: J. Warren | February 4, 2007 8:25 PM | Report abuse

er...wht bad luck..
but its good the site is now cleaned up..

http://noctrlc.blogspot.com

Posted by: No Ctrl+C | February 6, 2007 10:55 AM | Report abuse

@R Richardson:
>>is there a way that we could all be informed how to get a message back to the bot that sent a spam to one of us? That would put the bot owner on notice that he had a problem.

One way that's been suggested is to use the NET SEND command to try to send an instant message to the machine's owner ("try to" because XP SP2 has the Messenger service disabled by default, so if the bot is running XP SP2, then 'NET SEND' IMs won't get through unless the service was enabled).
http://groups.google.com/group/news.admin.net-abuse.email/msg/475f0b9cea3b0c5c
http://groups.google.com/group/news.admin.net-abuse.email/msg/a5749c4a3ab9073a

Posted by: Mark Odell | February 6, 2007 11:16 AM | Report abuse

>One way that's been suggested is to use the NET SEND command to try to send an instant message to the machine's owner

Even if the victim does have messenger enabled and not firewalled on the internet, but the message you send would look just like the messages sent by the fake anti-spyware scammers. "Your computer is infected! Windows has detected spyware infection. Click here to remove."

Posted by: Moike | February 6, 2007 3:18 PM | Report abuse

Moike,

Just so. That's why I selected that first link: "Don't be polite though."

Posted by: Mark Odell | February 6, 2007 4:25 PM | Report abuse

i wants free addtion avg antivirus software

Posted by: meghanath | February 7, 2007 2:48 AM | Report abuse

Just a comment for every one confused about java vs javascript. Javascript has nothing to do with either java or sun.

I won't launch into the history of the netscape browser, but if you want to know why the scripting language was named "javascript", it was simply marketing. Netscape (it's creator) was trying to cash in on the popularity of java.

Posted by: waydaws | February 8, 2007 12:18 PM | Report abuse

William: are you suggesting they host the site with Macintosh computers? What model would you suggest - keeping in mind issues of scalability and throughput.

Posted by: Rick | February 9, 2007 9:27 PM | Report abuse

At the same time it's of course irresponsible to use Microsoft products on web servers. If not anywhere. Of course it is.

Posted by: Rick | February 9, 2007 9:29 PM | Report abuse

Java installs should have a better firewall

Posted by: David botrous | February 10, 2007 12:38 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company