This is a round-up of the latest news on the Bank Of India hack.
As of 10:15pm est on Saturday September 1st 2007, the bank website is still disabled, with a note saying it's undergoing maintenance, and asking for patience.
This is a good thing, because it means they're examining all their pages for intrusions, and with appropriate care they'll also correct the vulnerabilities that allowed the site to be hacked in the first place. This is an important step, because we see entirely too many sites that get hacked, then are cleaned, and then they get hacked again because the holes have not been plugged.
Now that the dust has cleared, it is apparent that the attacking servers fired at least two different exploit sets. One was a simple MS06-042, which was essentially cut and pasted from the original Milw0rm proof of concept. The second exploit set was an as yet unidentified exploit package, along the lines of mpack/icepack/webattacker.
It contained a vml exploit, probably MS07-004, another MS06-042, a WinZip, a QuickTime, and a SetSlice. This would be very similar to mpack/icepack except that it is missing an ANI (MS07-017), and it contains instead the VML.
The real difference, however, is that it had machine generated variable and function names. In other words, the server side script was generating the scripts in order to try to defeat scanners. For a variety of reasons that I won't go into here, this fails to defeat the scanners, especially LinkScanner, but it's an interesting step.
Btw, we now have an edited version of the video. Hires .mov can be found here
and a youtube vesion here
Labels: bank of india exploit