Friday, August 31, 2007

Bank of India Serving Malware

Ryan at ZDNet's Security blog is reporting on the breached site of Bank of India, which in the time of blogging is still serving malware to its current and potential customers through the infamous Russian Business Network - 81.95.144.0 / 81.95.147.255.


At the bank's URL there's a link pointing out to goodtraff.biz (58.65.239.66) where an IFRAME loads to 81.95.144.148/in.cgi?10 whereas while accessing it we get response from 81.95.144.146, where we get the usual javascript obfuscation leading us to 81.95.144.146/at/index.php and 81.95.144.146/rut/index.php. Furthermore, the second IFRAME leads us to x-traffic.biz/ts/in.cgi?user0224 (which is a Russian Adult Traffic network) redirecting us to mymoonsite.net/check/version.php?t=167 (81.95.148.13) and a third one loading goodtraff.biz/tds/index.php (empty). What does it mean? It means the Russian Business Network has not just managed to inject its presence on Bank of India's site, but is also using multiple-iframing as an attack vector, thus creating a fast-flux network with multiple campaigns within I'll assess in this post.

Apparently, Trend Micro's been busy uncovering the n404 exploit kit, which is also used in this campaign aimed
at the Bank of India. Is this a newly developed attack kit, or a modification of another popular one? Further attack clues will definitely indicate the second, namely that's it's a modification. In respect to this kit, it returns a 404 error within which is the obfuscated javascript, thus we have a fast-flux oriented kit aiming to diversify and include as many infected nodes in the attack process to improve its chances of infecting the host while the campaign remains in tact. The malicious URLs structure is again static just like Storm Worm's, and is in the following format n404-(number from 1 to 9).htm where each page contains a different malware.

Several more n404 exploit kit campaigns are currently active at the following URLs :

msiesettings.com - 81.95.148.14
winmplayer.com
smoothdns.net - 81.95.148.12
protriochki.com - 81.95.148.14
susliksuka.com - 81.95.148.12
uspocketpc.com - 81.95.148.13

The exact campaign URLs :

- mymoonsite.net/check/versionml.php?t=141
mymoonsite.net/check/version.php?t=15
mymoonsite.net/check/n404-1.htm
n404-(number from 1 to 9).htm

- uspocketpc.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- s75.msiesettings.com/check/versionst.php?t=75
s75.msiesettings.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- s99.winmplayer.com/check/n404-1.php
n404-(number from 1 to 9).htm

- smoothdns.net/check/n404-1.htm
n404-(number from 1 to 9).htm

- protriochki.com/check/n404-1.htm
n404-(number from 1 to 9).htm

- susliksuka.com/check/n404-1.htm
n404-(number from 1 to 9).htm

What makes an impression is that it's relying on as many possible malware infections as possible, thus visiting a central campaign site such as mymoonsite.net/check/version.php?t=158 results in all the n404 malicious pages within the domain to get automatically loaded via an IFRAME, and as you've successfully guesed, they all contain different types of malware. Despite that javascript obfuscation is often used to hide the real location of the exploit or binary, in this campaign each and every n404-1.htm obtained from all domains has the same checksum, therefore the files at the different domains are identical - at least so far :

File size: 10636 bytes
MD5: 45594ef52a9f53f2140d4797826156ff
SHA1: 7c4f7d183dfaf39410902a629b13ae5112b847f0

AntiVir 2007.08.31 HTML/Crypted.Gen
eSafe 2007.08.29 JS.Agent.ke
Fortinet 2007.08.31 HTML/Heuri.BIU!tr.dldr
F-Secure 2007.08.31 Trojan-Downloader.JS.Agent.no
Kaspersky 2007.08.31 Trojan-Downloader.JS.Agent.no
Webwasher-Gateway 2007.08.31 Script.Crypted.Gen

A great example of a fast-flux network with way too many infected hosts participating in the attack, and despite that some seems to be down, the attack is still fully operational in a typical fast-flux style.

UPDATE: F-Secure's and McAfee's comments on the case, as well as two related posts - Bank of India’s Website has been Compromised by Trojan downloader; Bank of India Official Web Site Unsafe at the Moment.

UPDATE 2:
Several hours after the Bank of India got rid of the iframe at its homepage, the main URL for this malware campaign (81.95.144.148/in.cgi?10) removed the javascript obfuscation and is now forwarding to Google.com.

"We have taken up the matter with our technology-partner and all necessary action will be taken to rectify the matter. In my view, the users will not be faced with any major problems,” said BoI general manager PA Kalyansundar. “However, we are not completely sure that an attack actually happened,” he clarified."

Here's another article from The Register mentioning the three key points related to the campaign - the Russian Business Network, the n404 exploit kit which is definitely a modification of the popular ones currently in the wild, and the use of fast-flux networks. And this is what happened when an Indian tried to reach the local Cybercrime unit.