Bangalore Metro Rail site “bmrc.co.in” compromised

By   ISBuzz Staff
Editorial Team , Information Security Buzz | Sep 24, 2013 03:31 am PST

Malicious obfuscated JavaScript has been injected into several pages. The obfuscated code contains an iFrame, which after execution, redirects users to a malicious website. This is typical behavior for a JavaScript Trojan. More information about this particular Trojan can be found in McAfee’s description of threat JS/Exploit-Blacole.em.  Let’s look at some of the details of this particular infection.

Compromised Pages:
We have seen more than one page on this website that were found to be compromised. All of the compromised pages are infected with the same malicious JavaScript code.

   hxxp://bmrc.co.in
hxxp://bmrc.co.in/careers.htm

   hxxp://bmrc.co.in/Network.htm

Malicious Code:
The injected code is obfuscated JavaScript as seen below.

 

The obfuscated JS is enclosed in “<!–2d3965–>” and “<!–/2d3965–>” tags.

De-obfuscated Code:
De-obfuscation of the aforementioned JavaScript reveals the browser redirection process.

Cookie checking:
De-obfuscated JS checks a cookie value to determine if the page was loaded in the browser previously. If the code is being loaded for the first time, it then creates a cookie called “visited_uq” which is set with a value of “55” for one day with a path of ‘/’. It then calls function which creates an iFrame.

iFrame Redirection

The following code performs an iFrame redirection to “hxxp://ecurie80.hostzi.com/Felenne12/clik.php

Network Trace