Lenovo Support Website Infects Visitors with Trojan

PC manufacturer Lenovo had its support website attacked over the weekend when some hackers infected the site with a rogue IFrame, reports Softpedia.com. Visitors looking for drivers have since then been exposed to several exploits that will infect them with the Bredolab trojan. The Lenovo site had been confirmed as infected since at least Sunday afternoon; there are reports of visitors getting antivirus warnings from the website since Saturday.

The IFrame that was injected into the website points to an exploit kit hosted on the domain volgo-marun.cn. The kit would run a few checks to see what software was on the victim’s computer and then serve an exploit pointed at older versions of Internet Explorer, Adobe Reader, or Flash. The exploit tries to remotely execute a file that contains the Bredolab virus. Le Minh Hung, senior security researcher at Vietnamese antivirus vendor Bkis explains,

These exploit codes attempt to load file hxxp://volgo-marun.cn/pek/exe.exe which is a virus, onto victim’s computer. The virus is a new variant of Bredolab Botnet […]. After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain sicha-linna8.com.

The download.lenovo.com subdomain was blacklisted by Google when the attack was occurring so Firefox or Google Chrome browsers would display a warning when the site was visited. After searching for an update about this attack and visiting the Lenovo support site on my own computer, the attack seems to be cleaned up by now.

16,500+

free

Signup Now!

Your Blogmaster is Rebecca

Other Blog posts by Rebecca

MI Computer Repair says:

June 23rd, 2010 at 7:51 pm

You’d think the attackers would take advantage of the fact that visitors to the site are expecting to download executable files already… sneaky.

Computer Too Slow Repair says:

June 24th, 2010 at 8:40 am

Glad they got this cleaned up quickly. I am sure this was a nightmare for the lenovo web team.

Teknyka Tech Support says:

June 24th, 2010 at 8:52 am

This was a good catch, but I bet there are many websites out there that are infected and we DON’T know that they’re infected.

Mobile Computer Repairs says:

July 1st, 2010 at 5:37 am

I have no doubt that we hear only a very small proportion of situations like this. What large companies would like this info public?

Slow Computer says:

July 1st, 2010 at 1:22 pm

I wonder if anyone got fired at Lenova over this. Actually the bigger story would be how the hackers got into the site. How deep did they get into the server.

TechsMobile says:

July 7th, 2010 at 6:43 pm

Visiting the site from your own computer? Sounds a bit risky. I think a lot of web virus reports from Avast are false positives.