Jun 21 2010
Lenovo’ download site infected with Bredolab botnet
General information
Lenovo’s download site has been infected with malicious codes since Sunday’s afternoon, June 20th; so users should be careful on visiting this site. Currently, if you access this site with Chrome or Firefox, you will see a warning as following:
Chrome’s warning of malicious code on Lenovo’s download site
Many web pages on Lenovo’s download site are appended with an iframe which leads users to hxxp://volgo-marun.cn/pek/index.php
Malicious code appended to web pages
Decoding the iframe, we find many vulnerabilities in Internet Explorer have been taken advantage to launch the attack.
Exploit codes
These exploit codes attempt to load file hxxp://volgo-marun.cn/pek/exe.exe which is a virus, onto victim’s computer.
Virus’ information
The virus is a new variant of Bredolab Botnet with following MD5: F5A44C63F8777F544931ABC763F88EE3
After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain sicha-linna8.com.
Bredolab Botnet receives commands from C&C server
For the time being, the scan result on Virus Total shows that only 10/40 AVs can detect this virus variant.
Bkav’s users can be worry-free since this virus has already been updated in our antivirus software’s database.
Le Minh Hung
Senior Security Researcher
[...] http://blog.bkis.com/en/lenovo-download-site-infected-with-bredolab-botnet/ via http://www.net-security.org/malware_news.php?id=1382 Published Mon, Jun 21 2010 23:27 by donna [...]
[...] [...]
[...] on an original write up by AV Bkis’ blog, news of these events circulated through a number of tech sites, security and malware focused [...]
[...] thông tin từ Bkis, nhiều khách hàng khi truy cập vào website Lenovo vào ngày 22 và 23-6 để tải [...]
Huhu! đáng sợ thật đấy!…