Breaking: Bank of India seriously compromised

We have discovered that the Bank of India’s site, bankofindia(dot)com is compromised and is serving malware. DO NOT VISIT THIS SITE.

The following code can be clearly seen on the site:

http www sunbelt software com ihs alex bankofindia72318812388123218 thumb jpg

(Obviously, do not visit these sites that are in the HTML source).

Attempts are then made to load multiple pieces of malware.

Developing…

Update: The page is using exploits to install malware.

What we have seen so far:

Email-Worm.Win32.Agent.l

Rootkit.Win32.Agent.dw

Rootkit.Win32.Agent.ey

Trojan-Downloader.Win32.Agent.cnh

Trojan-Downloader.Win32.Small.ddy

Trojan-Proxy.Win32.Agent.nu

Trojan-Proxy.Win32.Wopla.ag

Trojan.Win32.Agent.awz

Trojan-Proxy.Win32.Xorpix.Fam

Trojan-Downloader.Win32.Agent.ceo

Trojan-Downloader.Win32.Tibs.mt

Trojan-Downloader.Win32.Agent.boy

Trojan-Proxy.Win32.Wopla.ah

Trojan-Proxy.Win32.Wopla.ag

Rootkit.Win32.Agent.ea

Trojan.Pandex

Goldun.Fam

Backdoor.Rustock

Trojan.SpamThru

Trojan.Win32.Agent.alt

Trojan.Srizbi

Trojan.Win32.Agent.awz

Email-Worm.Win32.Agent.q

Trojan-Proxy.Win32.Agent.RRbot

Trojan-Proxy.Win32.Cimuz.G

TSPY_AGENT.AAVG (Trend Micro)

Trojan.Netview

Update 2: We've cataloged over 22 pieces of malware. Mostly spam-related malware but we did find a pinch Trojan variant. More info coming as we get it. Biggest issue is the sheer volume of malware we've had to analyze.

Update 3: As I write this, it is currently 1:20 a.m EST (10:20 a.m. in India), and the malicious IFRAME is still located on the Bank of India website.

With that said, i just wanted to mention two other very dangerous information stealing Trojans included in this massive install of malware.

First, we are seeing a variant of TSPY_AGENT.AAVG. Trend Micro has an excellent write which you can read here.

Secondly, a variant of Trojan.Netview is being installed. Trojan.Netview is used to gather files from the infected computer as well as network shares. This characteristic is particularly dangerous in networked environments where infected users might have access to unprotected shares containing sensitive information.

The collected files are then uploaded to an FTP server located in Russia.

Of interest is the fact that Trojan.Netview is specifically searching for quarantine folders of antivirus programs. It is no surprise that this particular person had over a hundred items located in their quarantine folder:

http sunbelt software com spyware images quar netview PNG