Bank of India site hijacked, launching exploits

Bank of India site hijacked, launching exploits

Summary: The Bank of India Web site has been hijacked by online criminals and is being used to serve up rootkits and backdoor Trojans on unpatched Windows machines.

SHARE:

The Bank of India Web site has been hijacked by online criminals and is being used to serve up rootkits and backdoor Trojans on unpatched Windows machines.

Malware hunters at Sunbelt Software are warning that a snippet of code has been planted into the Bank of India Web site to redirect surfers to an exploit server.

Bank of India site hijacked, launching exploits

There is evidence that the Russian Business Network (RBN), a group known for aggressive malware attacks, is behind this latest high-profile site compromise.

[ SEE: Super Bowl stadium site hacked, seeded with exploits ]

The RBN has been closely linked to the virulent Storm Worm attacks, VML, phishing, child pornography, Torpig, Rustock, and many other criminal attacks to date.

The Bank of India redirect is sending Windows users to a server hosting an e-mail worm file, two rootkits, two Trojan downloaders and three backdoor Trojans.

"Fully patched systems are likely unaffected," Sunbelt Software president Alex Eckelberry said.

A source tracking the attack tells me the IcePack exploit launcher is the back-end being used for this run of drive-by downloads.

[ UPDATE: 9:00 PM Eastern ] This video (.wmv) from Roger Thompson at Exploit Prevention Labs shows the kind of damage that's done when an unpatched machine simply surfs to the Bank of India home page.

It's been almost seven hours since the compromise was discovered but Bank of India is still serving up the malicious redirect code. Malware researchers are working behind the scenes to make contact with the authorities to get the site cleaned and patched.

[ UPDATE #2: August 31, 2007 @ 9:59 AM ] The Bank of India site is now disinfected. This note appears on the home page:

This site is under temporary maintenance and will be available after 19:30 IST

To get a thorough understanding of what was happening at Bank of India during the site compromise, read Dancho Danchev's blow-by-blow of this attack, which used fast-flux networks to run multiple malware campaigns.

Topics: Banking, Malware, Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • Is it patched/fixed yet?

    You seem to have left that information out. I'm guessing that Bank of India has been informed.
    zkiwi
  • Ryan, why no information

    Look, this is a tech web site and readers want to know what TECH the bank is using. IE. What OS and software are they running on their server?
    No_Ax_to_Grind
    • Mix of IIS and Apache on Linux

      Per Netcraft

      Microsoft-IIS/6.0
      Microsoft-IIS/5.0
      Apache/1.3.27 Unix Red-Hat/Linux PHP/4.1.2 mod_perl/1.24
      net-com
      • nonsensee, it is IIS since 2004

        From netcraft @ /site_report?url=http://www.bankofindia.com: the last time they changed a Linux server was 2003 Jan 14. All of the entries from 2004 on have been IIS. This doesn't seem like they are running a mix, it sounds like they switched.
        shis-ka-bob
    • Win2k3/IIS6

      Though it looks like they outsource their hosting. I would bet the a site was vandalized using a badly written app on the server.
      toadlife
  • How was it comprimised?

    How about some real reporting.
    bjbrock
    • So others can copycat it?

      More importantly, who's running their servers?

      Most banks have big guarantees saying doing online transactions with them is safe; meaning some guy would get the sack if he screwed something up...
      HypnoToad72
      • You don't sack your brother-in-law's first cousin....

        "...some guy would get the sack if he screwed something up..."

        Yeah, that might happen in the US. But don't forget that we're talking about the land of immense extended families and rampant nepotism.

        You don't sack your brother-in-law's first cousin....
        Heimdall222
  • This isn't citibank or stan-chart.

    We can talk all we want about QoS and SLA's but this is not Citi or StanChart. I won't be surprised if BOI is serving up the same worms till late 2008. :p
    kraterz
  • look, the bank hasn't even taken the servers down

    This is the good old 'I don't see it, it isn't happening' stance.

    I agree Ryan could do better sometimes on his reporter skills (the latest 'IE safer than Firefox' lost him a lot of confidence of competence, here at least).

    However, in this case, it's hard to imagine the bank or anyone else involved would talk to him, not to mention timezones or a weekend.

    Banks just don't do that. Least of all ones in easily embarrassed situations.

    Let's wait, and we'll hear about it, no doubt. After they take the damaged servers down, and recover usability of their site.
    Narr vi
  • New business model

    [i]The Bank of India redirect is sending Windows users to a server hosting an e-mail worm file, two rootkits, two Trojan downloaders and three backdoor Trojans.[/i]

    Here we call that hacking. In Russia they call it business.

    Windows + Internet = Bad Combination
    Chad_z
    • You really should learn to read

      From the article:

      "The Bank of India Web site has been hijacked by online criminals and is being used to serve up rootkits and backdoor Trojans on *****unpatched***** Windows machines."

      Did you see the little word "unpatched"? If not, my bad. :) If so, you're at best careless and at worst deliberately biased.
      wolf_z
      • Missing 1 word is acceptable

        Missing an entire sentence though simply proves that the hatred in Chad's heart shields him from any logic when MS is concerned:
        [i]?Fully patched systems are likely unaffected,? Sunbelt Software president Alex Eckelberry said.[/i]

        Yawn, wake me up when there is a real threat to a Windows machine. Until then... well... I'll keep being productive. :)
        NonZealot
        • Jumping to wild conclusions...

          But then again, we live in a world where most people don't see a difference between none and some, between definitely and "likely". The especially are adamant about not acknowledging problems that don't affect them directly. The argument often goes something like this... "I've been smoking for years and ain't never got cancer." Based on this one single fact, they jump to the conclusion that there couldn't possibly be a link between smoking and cancer. The world is black and white to them...either smoking causes cancer or it doesn't, and since it hasn't in their case then obviously it doesn't. Using that rationale, I'd suggest that terrorists don't kill people since I've never been personally killed by a terrorist. Criminals don't rob banks since my bank has never been robbed. People don't commit rape since I've never personally been raped. You see how ridiculous this train of though can get. Sure, "fully patched systems are likely unaffected". That's worlds away from saying "fully patched systems are unaffected". If you want someone to wake you up when there is a rel threat to a Windows machine, we'd have to go back to at least the early 90s for that, maybe even the 80s.
          jasonp@...
          • Wow, nice rant!

            [i]Using that rationale, I'd suggest that terrorists don't kill people since I've never been personally killed by a terrorist.[/i]

            This is actually a [b]very[/b] good example and you will see why you shouldn't have made it because it hurts your case a lot. However, it was slightly misworded so let me change it so it is closer to what is actually being said:
            [i]I'd suggest that I'm unlikely to be killed by a terrorist since no one who frequents the places I do have ever been killed by a terrorist.[/i]

            There is no doubt that an American in Baghdad should fear being killed by a terrorist but should someone living in Kansas have the same level of fear? Would you seriously agree with the suggestion that because people are killed by terrorists in Baghdad, people in Kansas are also likely to be killed by terrorists? If you believe that then you are one of those you deride for living in a world that is "black and white".

            I never said:
            [i]I use XP with no patches and any time anyone emails me any application, I immediately run it and I made sure that my firewall is off and when I download porn movies that have a .EXE extension, I run them anyway but I've never gotten any malware so Windows is safe.[/i]

            That would be the equivalent of strolling down a street in Baghdad waving an American flag while tearing out pages of the Koran and spitting on them. However, the fact that no one who shares [b]my[/b] computer usage patterns has ever been infected by malware suggests that I'm more likely to be killed by a terrorist in Kansas than I am to be infected by malware.

            Like I said, wake me up when a terrorist kills someone in Kansas. Until then, I won't fear the terrorists although you go right ahead and hide under your bed... after all... terrorists kill people, right? :)
            NonZealot
          • This is your wake up call.

            April 19, 1995. 168 dead in Oklahoma City.
            April 20, 1999. 13 dead at Columbine HIgh School
            September 18, 2001. 5 dead in anthrax-laced mail attacks
            April 16, 2007. 32 dead at Virignia Tech.

            Not all terrorists come from abroad.

            But, like you said, don't live in fear. If you do, they win.
            msalzberg
  • Why hasn't anyone taken BOI off the net?

    Why hasn't anyone contacted the Bank of India's upstream ISP and had them blocked so they're off the net?

    Yes, it's a ridiculous suggestion. :) Remember that, nameless trolls, when you suggest it for an individual...
    wolf_z
  • Systems Support Headquarters

    Isn't India supposed to have all of the help desks now?? All of my Microsoft contacts have indian names, accents, bad phone connections, etc. You would think they would have straitened out the bank of India by now. Of course India itself probably out-sources it's help desks to Cambodia, Laos, Darfur, etc. Maybe thats the reason they are still infected.
    Dilberter
  • Bad BOI, Bad BOI

    Whatca gonna do?

    somebody had to say it...
    cwallen19803
    • No they didn't

      Really they didn't. you didn't, no-one did. I hope you're ashamed of yourself ;-)
      Average_Joe