Security Watch

Keeping Track of patches and hacks in the IT security world.

ANI Exploit Tied to Hacked Super Bowl Site

The same script that planted malicious code last month on the Super Bowl site is responsible for the zero-day animated cursor file exploit on Windows XP SP2. McAfee uncovered the exploit, which preys on an unpatched vulnerability in Windows ANI files, earlier this week.

Websense discovered in February that the official Web site of Dolphin Stadium, which hosted Super Bowl XLI, had been compromised and was serving up malicious code. The attack affected thousands of sites, according to Websense, infecting them with a script.

Last month, Websense reported that the official Web site of Dolphin Stadium, host of Super Bowl XLI, was compromised and was serving up malicious code. In fact, Websense said, the site was the staging ground for a massive attack that affected thousands of Web sites. Those sites were injected with a JavaScript file that had been inserted into the header of the front page of the Dolphin Stadium's site.

The code, hidden under the file name "w1c.exe," planted a Trojan and a keylogger, opening up sites to allow a rogue hacker to track and record keyboard strokes in order to steal credit card, Social Security or other user information.

That Super Bowl site exploit exploited two known vulnerabilities: MS06-014 in MDAC and MS07-004 in vector markup language.

That same script is now serving up the ANI file zero-day.

According to Websense, Googling the referenced script yields 113,000 results. "It's likely that most of those sites were compromised through SQL injection vulnerabilities," the security company says on its site. "Of course many of these sites have been cleaned up, malicious references removed, but not all."

Microsoft as of yesterday still hadn't come up with a patch or workaround for the ANI files vulnerability, which eEye called "one of the most potent zero-days recorded" by the security company's Zero-Day Tracker.

However, eEye has come up with a temporary workaround. Users can get that patch, along with more information, here.