Select Page

Breaking: Bank of India seriously compromised

by | Aug 30, 2007 | Uncategorized | 0 comments

We have discovered that the Bank of India’s site, bankofindia(dot)com is compromised and is serving malware. DO NOT VISIT THIS SITE.

The following code can be clearly seen on the site:

Bankofindia72318812388123218

(Obviously, do not visit these sites that are in the HTML source).

Attempts are then made to load multiple pieces of malware.

Developing…

Alex Eckelberry

Update: The page is using exploits to install malware.

What we have seen so far:

Email-Worm.Win32.Agent.l
Rootkit.Win32.Agent.dw
Rootkit.Win32.Agent.ey
Trojan-Downloader.Win32.Agent.cnh
Trojan-Downloader.Win32.Small.ddy
Trojan-Proxy.Win32.Agent.nu
Trojan-Proxy.Win32.Wopla.ag
Trojan.Win32.Agent.awz
Trojan-Proxy.Win32.Xorpix.Fam
Trojan-Downloader.Win32.Agent.ceo
Trojan-Downloader.Win32.Tibs.mt
Trojan-Downloader.Win32.Agent.boy
Trojan-Proxy.Win32.Wopla.ah
Trojan-Proxy.Win32.Wopla.ag
Rootkit.Win32.Agent.ea
Trojan.Pandex
Goldun.Fam
Backdoor.Rustock
Trojan.SpamThru
Trojan.Win32.Agent.alt
Trojan.Srizbi
Trojan.Win32.Agent.awz
Email-Worm.Win32.Agent.q
Trojan-Proxy.Win32.Agent.RRbot
Trojan-Proxy.Win32.Cimuz.G
TSPY_AGENT.AAVG (Trend Micro)
Trojan.Netview

Fully patched systems should be unaffected. More coming.

Update 2: We’ve cataloged over 22 pieces of malware. Mostly spam-related malware but we did find a pinch Trojan variant. More info coming as we get it. Biggest issue is the sheer volume of malware we’ve had to analyze.

Update 3: As I write this, it is currently 1:20 a.m EST (10:20 a.m. in India), and the malicious IFRAME is still located on the Bank of India website.

With that said, i just wanted to mention two other very dangerous information stealing Trojans included in this massive install of malware.

First, we are seeing a variant of TSPY_AGENT.AAVG. Trend Micro has an excellent write which you can read here.

Secondly, a variant of Trojan.Netview is being installed. Trojan.Netview is used to gather files from the infected computer as well as network shares. This characteristic is particularly dangerous in networked environments where infected users might have access to unprotected shares containing sensitive information.

The collected files are then uploaded to an FTP server located in Russia.

Of interest is the fact that Trojan.Netview is specifically searching for quarantine folders of antivirus programs. It is no surprise that this particular person had over a hundred items located in their quarantine folder:

Submit a Comment

Your email address will not be published. Required fields are marked *