Saturday, September 01, 2007

Bank of India hack update

Hi folks,

This is a round-up of the latest news on the Bank Of India hack.

As of 10:15pm est on Saturday September 1st 2007, the bank website is still disabled, with a note saying it's undergoing maintenance, and asking for patience.

This is a good thing, because it means they're examining all their pages for intrusions, and with appropriate care they'll also correct the vulnerabilities that allowed the site to be hacked in the first place. This is an important step, because we see entirely too many sites that get hacked, then are cleaned, and then they get hacked again because the holes have not been plugged.

Now that the dust has cleared, it is apparent that the attacking servers fired at least two different exploit sets. One was a simple MS06-042, which was essentially cut and pasted from the original Milw0rm proof of concept. The second exploit set was an as yet unidentified exploit package, along the lines of mpack/icepack/webattacker.

It contained a vml exploit, probably MS07-004, another MS06-042, a WinZip, a QuickTime, and a SetSlice. This would be very similar to mpack/icepack except that it is missing an ANI (MS07-017), and it contains instead the VML.

The real difference, however, is that it had machine generated variable and function names. In other words, the server side script was generating the scripts in order to try to defeat scanners. For a variety of reasons that I won't go into here, this fails to defeat the scanners, especially LinkScanner, but it's an interesting step.

Btw, we now have an edited version of the video. Hires .mov can be found here and a youtube vesion here .





At 12:37 AM, Anonymous ports said...

I assume that you developed the tools, you're using in the video ("WRremote v.2" and "Browser Helper Object v.3"), by yourself?

At 3:09 AM, Blogger Roger Thompson said...

Yes... we have lots of internal tools to help sort stuff out. Some of these malicious websites reach out to lots of other websites, some of which are completely innocent, and some are not. It difficult to figure it out by hand. Laziness is still an attribute for a programmer.


At 10:59 PM, Anonymous Anonymous said...

Happened to try that BOI site and many dozens of others most with VERY NASTY obfuscation; the new version of Norton Internet Security 2008 with its Browser Defender feature is able to detect and block all of them in real-time, no reputation, offline scanning etc like SiteAdvisor, no connection to a central server like LinkScanner. Have you tried this new feature. It seems a step above LinkScanner which I currently use

At 7:39 AM, Blogger Roger Thompson said...

Actually, I think you are misunderstanding how LinkScanner works. We _don't_ connect to a central server at all to make decisions about a website. We've always made real time evaluations of websites... it's what we do. I haven't tried Browser Defender personally, but it sounds very similar to us. Robert Vamosi did do a review though, and didn't seem to think it was fantastic. See




Post a Comment

<< Home