Bangalore Metro Rail site “” compromised

By   ISBuzz Team
Writer , Information Security Buzz | Sep 24, 2013 03:31 am PST

Malicious obfuscated JavaScript has been injected into several pages. The obfuscated code contains an iFrame, which after execution, redirects users to a malicious website. This is typical behavior for a JavaScript Trojan. More information about this particular Trojan can be found in McAfee’s description of threat JS/Exploit-Blacole.em.  Let’s look at some of the details of this particular infection.

Compromised Pages:
We have seen more than one page on this website that were found to be compromised. All of the compromised pages are infected with the same malicious JavaScript code.



Malicious Code:
The injected code is obfuscated JavaScript as seen below.


The obfuscated JS is enclosed in “<!–2d3965–>” and “<!–/2d3965–>” tags.

De-obfuscated Code:
De-obfuscation of the aforementioned JavaScript reveals the browser redirection process.

Cookie checking:
De-obfuscated JS checks a cookie value to determine if the page was loaded in the browser previously. If the code is being loaded for the first time, it then creates a cookie called “visited_uq” which is set with a value of “55” for one day with a path of ‘/’. It then calls function which creates an iFrame.

iFrame Redirection

The following code performs an iFrame redirection to “hxxp://

Network Trace