Official Website for Super Bowl XLI Stadium Hosting Malware

Just as with email malware spamming, popular items of the day can become targets for website attacks as well. A case in point is that there is a very recently breaking (2/2/07) report by Websense that the website for Dolphin Stadium in Miami Florida (where Super Bowl XLI will be held on Feb 4th) is(was) hosting malicious JavaScript. Also a number of other sites related to the SuperBowl which are similarly infected have been identified by searching with Google, and are in the process of being notified and cleaned up. Similar to the IFRAME insertion attacks which are seen frequently, this the only change to the page is the simple insertion of a single line pointing to an off-site malicious JavaScript file. This particular file tries to exploit MS06-14(Microsoft Data Access Component) and MS07-004(VML).

While the Websense advisory still says it's live, as the time I checked this via wget (about 10pm Eastern 2/2/07) the malicious link had been removed. This seems like a good example of how modern "website defacements" are much more likely to leave the website intact and simply slip in single links to external malware, and why browsing can be so dangerous on unpatched machines. It's not enough to avoid "shady" sites, you have to pretty much trust that any sites you normally go to won't be compromised.

More information at:
The Internet Storm Center
Bleeding Edge Threads

Bleeding Edge Threads includes a snort signature for the previously unknown trojan.

Edited: ISC posted some more information under another article ID. People have submitted logs showing the compromises related to this have gone back to at least November 06 (not necessarily for Dolphin Stadium itself of course).