Javascript malware injection on Ethernet Xpress

Warren Rodrigues posted on 25 August 2018

A couple of days ago, my anti-virus software (Eset NOD32) showed me a warning - that a threat was found and blocked. This happened while I was browsing a trusted website - my Gmail account on webmail.

I tried visiting a few other websites - including my photography website and my web dev website - both showed the warning.

Then, I decided to visit some popular websites like TripAdvisor.com; still the same warning.

I go to ethernetxpress.com and customer.expl.in (their customer management portal); same "threat found" warning on their websites as well.

Now, most probably, the whole world's websites could not be infected with the same malware at the same time. So, the logical options were either:

  1. My computer was infected or
  2. Ethernet Xpress' network was infected.

I figured it was just my computer, since Internet Service Providers rarely get malware on their networks. So, I scanned my computer using Eset NOD32 and MalwareBytes Anti-Malware. They both found zero infections.

Switched on my laptop, which I hadn't used for a day or two. Visited some of the same websites and some others. The anti virus on my laptop was showing the same warning as well.

Now, it seemed fairly obvious that the ISP's network was compromised. But, I like to rule out all other possibilities. So, I called up some friends who were using Ethernet Xpress. The first person I called, immediately, said that he was seeing the same issue for the last hour or so. While I was on this call, another friend called me up to say they were getting a 'Threat Found' warning. I asked both of them to ask anyone else if they're seeing this issue. I called a couple of other friends, while each of them checked with some more friends. Only users on Ethernet Xpress were seeing this issue.

To confirm that this issue didn't exist on other networks, I switched off my WiFi router that was configured with Ethernet Xpress and connected my computer to my mobile hotspot, using Idea's 4G internet. No threat warnings were shown.

It was now quite clear that Ethernet Express' network was injecting some bad Javascript file that contained Coin Mining Malware. The network was capturing DNS requests and immediately sending back the malware. So, even websites which re-direct to secure, encrypted HTTPS protocol were showing the warning, unless I explicitly typed in https:// at the start.

Side note: HTTPS traffic is encrypted, so malware cannot be successfully injected into the source code. If the ISP or any other attacker tries to inject code into an HTTPS request, the page fails to load.

Next step - I tried calling their call center on 1800-266-4986. As usual, both options disconnect my call in less than a minute.

  • The service IVR says they've noted my number and will call back.
  • The sales IVR says to call back during working hours.

They usually never call back.

This issue started at around 16:21 IST for me, though some users have reported that it started as early as 13:00 IST.

I posted the details on my Facebook timeline, to which Ethernet Express responded, asking to email them the details. I emailed them at around 21:08, with all the details and logs from my anti-virus (see below)

You'll see that NOD32 has blocked the JS file from random sites, including:

  • 16:21 - Comodo's OCSP server
  • 17:54 and 18:02 - Digicert's OCSP server
  • 18:31 - Adobe licence server
  • 19:41 - Windows Update server
  • 20:37 - Tripadvisor.com
  • 20:38 - Their own websites (EthernetXpress.com and customer.expl.in)

They replied the next afternoon at 15:16 on 24-Aug, informing me that they have rectified the issue and to please check if I am still facing the issue.

This should be a very serious issue for any ISP, because this kind of infection can spread rapidly. Everyone on their network, without proper anti-virus protection can get infected.

EthernetXpress is quite a decent ISP, especially when compared to the other options we have in Goa. However, they need to have quicker and better responses for when an issue like this takes place.

UPDATE: Justin called me up following my post on Facebook. He explained that some network hardware was compromised and that the issue was resolved. I asked him why no one answers the helpdesk phone. He said that they're trying very hard to improve the help desk situation. For now, the best option is to email support@expl.in whenever we need support.







Please enable Javascript to view this site properly.