Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
BSNL, Bangalore Website Yet Another Victim Of Malicious Code Injection
Security Research

BSNL, Bangalore Website Yet Another Victim Of Malicious Code Injection

image
THREATLABZ
March 01, 2011 - 2 min read
BSNL, Bangalore telecom district has become yet another victim of poor website security and has been infected with malicious JavaScript code. This time, the code points to a malicious domain used by the popular Gumblar botnet. Recently, my colleague Pradeep blogged about two Indian websites, ICWAI and KVGBANK that were also infected with malicious content. The bangaloretelecom.com site provides information on telecommunications services offered, telephone number search, online payment of bills, etc. This is yet another example of a
popular website in India which has been compromised. Here is the screenshot of home page:
 

Image

 

Interestingly, the home page does not contain malicious content, but rather the malicious JavaScript has been injected into one of the “.js” files used for searching the content of the website. If you look at the above screenshot, you will see small search box. The attack will be activated if you search on anything using this functionality. Below is a screenshot of the search page a user is redirected to:

 

Image

 

The source code of this page contains various “.js” files. The “search.js” file is infected with malicious JavaScript code. Here is the source code of that file:

 

Image

 

The malicious JavaScript code is inserted at the bottom of this “.js” file. Here is the malicious content:

Image

 

There are six different malicious JavaScript snippets, each obfuscated in a different way, but all ultimately point to same malicious domain. Let’s investigate one of them:

 

Image

 

The decoded script is shown below:

 

Image

 

The above malicious code points to the malicious domain “gumblar.cn”, which was used by the Gumblar Trojan. Fortunately, the malicious domain has now been taken down.

 

Zscaler blocks the infected page rather than blocking whole website. This example illustrates how malicious content can be filtered out, while still allowing access to what is an otherwise legitimate site – an important approach, given the prevalence of malicious infections. Our recent posts highlight the fact that numerous popular Indian web sites are struggling with proper application security controls.

 

Umesh

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.