The same script that planted malicious code last month on the Super Bowl site is responsible for the zero-day animated cursor file exploit on Windows XP SP2. McAfee uncovered the exploit, which preys on an unpatched vulnerability in Windows ANI files, earlier this week.
Websense discovered in February that the official Web site of Dolphin Stadium, which hosted Super Bowl XLI, had been compromised and was serving up malicious code. The attack affected thousands of sites, according to Websense, infecting them with a script.
The code, hidden under the file name “w1c.exe,” planted a Trojan and a keylogger, opening up sites to allow a rogue hacker to track and record keyboard strokes in order to steal credit card, Social Security or other user information.
That Super Bowl site exploit exploited two known vulnerabilities: MS06-014 in MDAC and MS07-004 in vector markup language.
That same script is now serving up the ANI file zero-day.
According to Websense, Googling the referenced script yields 113,000 results. “It’s likely that most of those sites were compromised through SQL injection vulnerabilities,” the security company says on its site. “Of course many of these sites have been cleaned up, malicious references removed, but not all.”
Microsoft as of yesterday still hadn’t come up with a patch or workaround for the ANI files vulnerability, which eEye called “one of the most potent zero-days recorded” by the security company’s Zero-Day Tracker.
However, eEye has come up with a temporary workaround. Users can get that patch, along with more information, here.