Reminiscent of Super Bowl site hack in January; notorious Russian gang suspected
The Bank of India Web site was hacked sometime Wednesday night (U.S. time) and seeded with a wide, wild array of malware that infected any users running unpatched browsers, security researchers said today.
Although the bank's site had been scoured of all malware by Friday morning, it's currently offline. "This site is under temporary maintenance and will be available after 09:00 IST on 1.09.07," a prominent message currently reads.
Researchers at Sunbelt Software Inc. first posted details of the hack yesterday afternoon after finding rogue code embedded in the site's HTML. That code, actually an IFRAME exploit, silently redirected users to a hacker server, which pushed 22 different pieces of malware onto vulnerable PCs. By Sunbelt's tally, the malware included one worm, three rootkits, five Trojan downloaders, and several password stealers. "The biggest issue is the sheer volume of malware we've had to analyze," said Alex Eckelberry, Sunbelt's CEO, in a blog posting yesterday.
Other researchers dug up more information. According to Roger Thompson, the chief technology officer of Exploit Prevention Labs Inc., the bank's site was compromised sometime between late Wednesday and early Thursday (U.S. time). How it was hacked, however, is yet unknown, as is how many bank customers might have been infected by the attacks.
When contacted Friday, executives and IT administrators at U.S. offices of Bank of India were unaware of the hack. Later, after reaching his colleagues in India, a U.S.-based spokesman said only: "They are aware of the problem. Bank IT and security people are working on this now." He had no other information on the severity of the attack or its duration, however.
For his part, Thompson posted a video of the hack (.wmv file download) that showed the massive infections and resulting system changes in a debugger window. At one point, he pointed out a couple of pop-ups that appeared during the infection. "The pop-ups aren't the problem, the problem is that you're already hosed if you're not patched," he said. "You're comprehensively owned at this point."
By 10:30 a.m. Eastern, the site was clean, Eckelberry reported.
All clues point to the notorious Russian Business Network (RBN) gang, said Eckelberry. Based in St. Petersburg, RBN has been dubbed "the baddest of the bad" by VeriSign iDefense, and is reportedly involved in everything from spamming and phishing to denial-of-service attacks and selling child pornography over the Internet.
"There has been speculation as to whether the malware was installed through an exploit framework -- Webattacker, Mpack, Icepack -- as it was encrypted in the same way as Webattacker," said Eckelberry.
Thompson confirmed the breach. In a blog of his own, Thompson said it looked like the "standard Mpack/Icepack stuff" to him.
The Bank of India hack is only the latest example of a legitimate Web site behing compromised, and serving up malware to unwary visitors. In the U.S., the most serious incident was earlier this year, when the site belong to Dolphin Stadium, host to the National Football League's Super Bowl, was hacked just days before the big game.