NEWS FROM THE LAB - Friday, August 31, 2007

Bank of India's Website Compromised Posted by Patrik @ 05:40 GMT

Earlier today we saw a blog post from the good people over at Sunbelt about a compromise of Bank of India's website and so we checked it out.

Bank of India

On the front page of the site a hidden IFrame has indeed been inserted and it loads a URL from another website.

Bank of India IFrame

This file in turn uses three IFrames to load three other URLs.

Bank of India IFrame

Two of the URLs are now down but the third contains an obfuscated JavaScript that uses exploits to download and run a file called loader.exe. This file is a small downloader which downloads additional files that are different password stealing trojans, additional downloaders, et cetera. We detect all of the malicious files with our latest database update.

Update: The malicious IFrame has been removed from the front page and it's now safe to visit the site again.