Hackers reprogrammed the Web site for the Super Bowl stadium so it would automatically load a malicious script, Web security firm Websense said. This script would attempt to exploit a pair of known Windows security holes and install programs that would put the PC under the attacker's control.
"Assuming you're not patched, a Trojan downloader with a backdoor and a password stealer gets installed on your computer without you knowing it," said Dan Hubbard, vice president of security research at San Diego, Calif.-based Websense.
The initial breach of the Dolphin Stadium Web site appears to have occurred on January 25, Hubbard said. The site was cleaned up around 11 a.m. PST on Friday, he said.
A Dolphin Stadium representative confirmed the hack. "The stadium Web site was compromised and the problem was resolved," said the representative, who asked not to be named. She could not give an indication as to how many people were exposed to the attack, but did say the site is getting more visits "just because of the Super Bowl."
The attack exploited two known security holes in the way Windows handles Vector Markup Language, or VML, documents, Websense said. Microsoft issued patches for these flaws in September and January. This means that people who hadn't yet applied the latest Microsoft fixes would be vulnerable to the attack.
The file downloaded in the attack is a keystroke logger and a remote control tool, also called a backdoor, Websense said. Attackers get full access to the compromised PC.
"The Web is a hostile environment," said Jeremiah Grossman, chief technology officer at Web security company WhiteHat Security. "Eight out of 10 Web sites have serious flaws that enable these types of attacks. It's important for users to stay up to date with patches. However, another way to combat malicious hackers and malware is by using an alternative Web browser such as Firefox."
People who visited the Dolphin Stadium Web site with a Windows PC that lacked the most recent patches should run a security scan to clean their machines. Websense has provided details on the malicious code to antivirus software makers, so all security tools should detect it soon, Hubbard said.
"Some antivirus vendors do detect it today, but most do not. We are sharing this information with antivirus vendors to get their cleaning tools up to date," he said.
