ANI File Exploit Has Connection With Hacked Super Bowl Site
Thursday March 29, 2007 at 11:03 pm CST
Posted by Craig Schmugar
Another follow-up to my Unpatched Drive-By Exploit Found On The Web post.
Last month Websense reported that the official website of Dolphin Stadium, host of Super Bowl XLI, was compromised and serving malicious code. In fact that was a massive attack affecting thousands of websites. Those sites were injected with a script reference that pointed to exploit code. At that time, the code exploited known vulnerabilities.
The SANS Institute did some investigating into that incident. They posted portions of a response they received from a system admin where it was clear that a remote attacker exploited a SQL injection vulnerability to embed the malicious script. The same script is now serving the ANI file 0-day exploit reported yesterday. Googling the referenced script yields 113,000 results. It’s likely that most of those sites were compromised through SQL injection vulnerabilities. Of course many of these sites have been cleaned up, malicious references removed, but not all.
March 30th, 2007 at 05:58
http://isc.sans.org/diary.html?storyid=2537
IE7.0 SP2
March 30th, 2007 at 08:34
[...] Trackback [...]
April 1st, 2007 at 10:15
AVG also detect it
April 2nd, 2007 at 14:04
[...] There are a huge number of innocent Web sites–hacked by the same group that hacked the Superbowl site–that are hosting a file which exploits an unpatched hole in many recent Windows versions. The file was created in such a way that it can cause a system to download and run malware. [...]
May 2nd, 2007 at 13:34
[...] As for websites, this can be a bit trickier. There are some more clear-cut cases where the website itself is dodgy – warez sites, software-cracks sites, etc. If you’re getting stolen or hacked software, you run the risk of getting more than you bargained for, plain and simple. A website can also be basically innocent, yet still be problematic: Websites need to be protected and patched just like any other machine. Even big websites can be hacked to serve up nasty code to be dumped on you when you come to visit, like in the case of the recent ANI zero-day exploit. [...]
November 26th, 2007 at 15:09
[...] I know we’ve all thought about it, but for some reason this one is hitting a little more than others. Partially because I think we all like to think we are unique and every hack needs to be forensically important. Think about if you were running the Miami Dolphins and you were to see this happen to your site. You’d want answers, and you’d want them now. And then after spending countless hours and tons of resources you’d find that the answer is you were just one hack of 25,000. An interesting website but insignificant in the grand scheme of the attack. [...]
November 29th, 2007 at 02:42
[...] It’s an interesting thought to think that one attack compromised 25,000 websites, which in turn could have compromised potentially hundreds of thousands or even millions of remote machines via the ANI payload through XSS. And ultimately, the attackers are still at large. Pretty scary concept when you think about the low level of diversity in open source web applications, making them much more susceptible to attack. Maybe that tiny webapp hole isn’t so tiny after all. [...]