The script attempts to exploit two previously-fixed vulnerabilities, one of which is a bug in Internet Explorer's handling of vector markup language (VML) that was  patched 9 January by Microsoft.
Both exploits attempt to download a keylogger that "provides the attacker with full access to the compromised computer," the alert said. Websense said it notified Dolphin Stadium officials about the attack.
The site was vulnerable from about noon to 2:30 p.m. today, said George Torres, a Dolphin Stadium spokesman. An unknown number of visitors were affected, he said.
"Security was compromised earlier today," Torres said. "We've cleaned it. [The site] is back up and running. We're making sure we can try to prevent this from happening again."
The FBI was notified, he said.
A signature for the trojan is available on Bleedingthreats.com, Kevin Liston of the SANS Internet Storm Center said today on the organisation’s blog.
Experts said the attack was professional.
"It was not a football fan who did it to voice his opinion on who was going to win," Wolfgang Kandek, vice president of operations at Qualys, told SCMagazine.com today. "He thought this was going to be a heavily trafficked site that he found a vulnerability on."
Dee Liebenstein, vice president of product management at Securewave, said attacks such as this one are especially successful because they appear on official, trusted websites. She said the burden falls on website developers to apply security best practices and also on end users to ensure they are updating their PCs with the latest patches.
The stadium site, which is linked to on the official Super Bowl website, is receiving heavy traffic in advance of Sunday’s showdown between the Indianapolis Colts and the Chicago Bears.
Click here to email reporter Dan Kaplan.
Super Bowl XLI: Hackers use Dolphin Stadium website to exploit PCs
By Dan Kaplan on Feb 2, 2007 7:47PM