Sunbelt Software
discovered Thursday afternoon that the Bank of India's website had been
compromised and was distributing about 30 types of malware, Alex Eckelberry, Sunbelt
CEO, told SCMagazine.com.
Sunbelt learned that the
site had become compromised while researching another malware issue. The
company contacted the Bank of India, which shut the site down about 2 a.m. EST Friday
to clean the server, he said. The site is up and running again.
"We tracked communication with [the other malware] to
the Bank of India site," Eckelberry said. "We're fairly certain this
was done by the Russian
Business Network (RBN), an underground criminal gang in Russia
responsible for lot of bad things on the internet."
The exploit appeared to be a malicious IFRAME,
which took advantage of a Microsoft Windows 2003 server running the Bank of
India site, he added. The IFRAME downloaded a wide variety of malware to PCs that have not been patched since August 2006, Eckelberry
said.
Among the distributed malware were variants of
TSPY_AGENT.AAVG and Trojan.Netview, several rootkits
and a Trojan.Pandex. The former steals information from active windows on
vulnerable end-user PCs, as well as information collected by a keylogger,
network configuration and user names and passwords from POP3 and SMTP email
protocols.
The collected files were uploaded to an FTP server in Russia, according to Sunbelt.
"Bank of India had a hole in its systems, and the
Russians took the opportunity to insert code into the page," Eckelberry
said. "The same thing happened to the Super
Bowl site earlier this year."
Click here to email West Coast Bureau Chief Jim Carr.
Click here for the latest SC Magazine Podcast - Aug. 27: A monster (.com) of a data breach