Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

American Football Championship Shenanigans

Published: 2007-02-02
Last Updated: 2007-02-08 16:58:49 UTC
by Kevin Liston (Version: 7)
0 comment(s)
Websense Labs has reported that "the official website of Dolphin Stadium has been compromised with malicious code."  As of now (~1820 GMT 02-FEB-2007) the site still has the injected redirect, but the site hosting the malicious code is not responding.  The malicious script is reported to exploit vulnerabilities described in Microsoft Security Bulletins MS06-014 and MS07-004.
www.websense.com/securitylabs/alerts/alert.php?AlertID=733

Bleedingthreats.net has a signature available: www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_Downloader

The first reported site has been repaired (for now?)
Other sites have been identified using some googledorking and are in the process of being informed.

UPDATE:
McAfee has released updated signatures to detect Backdoor-DKT: vil.nai.com/vil/content/v_141405.htm#tab7
Other AV vendors should have specific signatures by now as well.


UPDATE2:


A similar (identical?) exploit is served by the following domains. At this point, the best defense (after patching) is to block these domains and monitor DNS requests for them. Infected machines will try to call home to them.

w1c.cn, dv521.com, bc0.cn, 137wg.com, newasp.com.cn

dv521.com was the domain used in the dolphinstadium.com defacement. Thanks to the cooperation from Xin-Net, the domain is no longer resolving. But there is always a chance that it will come back.

If your website is defaced by this group: Please contact us and preserve logs.

UPDATE3:
We had 'www.natmags.co.uk' listed here earlier. According to information from the system administrator for the site, the javascript file on that site is not malicious and just happens to have the same filename.

UPDATE4:
Updating our earlier update :-), the 3.js off the Natmags site downloads an ad.htm file which is clearly an exploit, as can be shown with a little PERL-fu to make it readable: cat ad.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'
The corresponding www.exe is no longer available on the server though (or doesn't download).
Keywords:
0 comment(s)
Diary Archives