The Fox Sports website remains infected and a risk to the 11m+ unique visitors (as reported by Compete). This website is ranked at 135th in the United States and 523rd most popular in the World according to Alexa remains compromised and a major security risk to end-users.
zvelo first reported on this threat on Friday, October 2nd, but was incorrect in saying that the infection was cleaned up. [Clarification: the specific pages zvelo examined were cleaned, but other pages have been discovered to still be compromised.] As of today, certain pages on the Fox Sports site remain infected. The zvelo team has written to the webmaster at Fox Sports (along with all contacts listed in their whois records) with some details that we hope will help their team clean up the website. When we hear back from them, we will post so here.
Note that the malware being delivered through this threat remains undetected by the vast majority of anti-virus software. Also note that the compromised pages are being served through the Akamai network although at this time we believe the threat is specific to Fox Sports and not Akamai. Here is part of the email sent to Fox Sports by the zvelo team:
To Whom It May Concern:
zvelo has detected that your website, msndr.foxsports.com, remains infected with a dangerous, hidden iframe that links to a site that uses a variety of exploits to infect your website visitors with one of several rotating trojans. In particular, your 404 Page Not Found page on that server has the iframe right at the end of the HTML document immediately before the tag. See attached screenshot. Unfortunately, zvelo cannot say how your site was compromised, only that it is compromised and the compromised pages are being served through your Akamai distribution network. At this time, zvelo has marked msndr.foxports.com as a Compromised site and millions of end users are currently blocking access to the site based on that determination. Please let us know when you have corrected the issue so that we may unblock your site.
10/7/2009 Update:
zvelo has not received any response from Fox Sports and the classification of the msndr.foxsports.com host remains “Compromised.” For example, the hxxp://msndr[.]foxsports[.]com/dffdd results in a malicious page leading visitors to malware.
10/17/2009 Update: Unresolved Compromise Heads into its 3rd Week.
