1 of 2 – WEB THREAT SPOTLIGHT

Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.

Figure 1. Lenovo support page compromise infection diagram

ISSUE NO. 67 JULY 5, 2010

PC Maker’s Support Page Succumbs to Compromise Although they may not be quite as high profile as they were a few years ago, cybercriminals are still compromising legitimate, high-traffic sites to facilitate more targeted Web attacks. The latest victim to fall prey to this type of attack is Chinese PC manufacturer, Lenovo, when a malicious iframe code that led to the download of a BREDOLAB variant was embedded into its support page.

The Threat Defined Compromising websites is one of the most effective tactics cybercriminals use to capture more victims. This allows them to conveniently distribute malware without requiring user action to load malicious codes. It is also a silent means by which threats are delivered that does not require social engineering to trick users into downloading malicious content. All it relies on is the popularity of the websites it targets, which usually have large numbers of trusting users that are potential infection victims.

Unlike most compromises that target a wide range of websites, this latest compromise used a more focused approach, targeting only a specific but very popular website. It targeted Lenovo’s website and, in effect, its customers who were looking to download relevant software for their systems.

Lenovo is one of the most popular brands of computing devices, ranking as the fourth largest PC vendor worldwide. It is also well-represented in the corporate market because its ThinkPad products are commonly used in offices. It is also the biggest seller in China, which accounts for the largest proportion of the Internet population globally. Needless to say, these factors make Lenovo a very appealing target for a website compromise. In this particular attack, cybercriminals injected a malicious iframe code into the Lenovo site’s support page, from which customers usually go to download driver updates and manuals. Users who then visited this page instead downloaded TROJ_BREDOLAB.BY onto their computers.

TROJ_BREDOLAB.BY drops a copy of itself as well as other nonmalicious files onto the affected system. It makes sure that it remains resident on the computer’s memory by injecting itself into the SVCHOST.EXE process. This routine makes it more difficult to terminate and remove this Trojan from an affected system.

Once it executes, it connects to a website, which possibly hosts a number of other malicious programs that can be downloaded onto an affected system. When users visit the compromised page, they become susceptible to further malware attacks.

The infection was limited to only the download.lenovo.com domain while the general lenovo.com domain remained unaffected. Users who accessed the site with Firefox and Chrome browsers were able to see malware warnings when opening the resources hosted on the support page. This indicates that the affected pages were indeed infected and blocked by Google’s Safe Browsing service.

Users used to be quite safe while surfing the Web as long as they stayed away from sites that were notorious for hosting malware such as adult and warez sites. However, the inception of website compromises changed the whole threat landscape in a sense that not even legitimate

2 of 2 – WEB THREAT SPOTLIGHT

Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.

sites can be trusted anymore. In the past, website compromises resulted in thousands of sites being hacked on a daily basis. This may not be the case today but site compromises can certainly occur anytime to anyone. Clearly it is important for users to protect their systems from Web threats that may result from hacking. It is also the responsibility of anyone with a website to make sure that his/her site stays secure and free from exploits.

User Risks and Exposure BREDOLAB is a simple downloading platform that gained popularity in 2009 for facilitating the distribution of other prominent malware families. Behind this simple program, however, is a bigger network of underground activities. It has been affiliated with other malware families, particularly ZeuS and FAKEAV variants, in order to gain profit. Thus, systems that have been affected by this downloader may become hosts to other malware attacks in an attempt to build botnets or may be used in pay-per-install (PPI) scams related to rogue antivirus applications.

Any company that owns a compromised website is at risk of losing its customers’ trust. In Lenovo’s case, the page remained infected over the weekend, giving cybercriminals ample time to infect many users. Some users raised their concerns on the company’s official forum, commenting that nobody could be reached since the downloader had been found and that Lenovo should be prudent enough to shut down the site until the issue has been resolved. Although the company acknowledged the incident and admitted that there was ample room for improvement, damage has already been done to the company’s reputation.

Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.

In this attack, Smart Protection Network’s Web reputation technology prevented access to malicious URLs that may have hosted copies of TROJ_BREDOLAB.BY and other malicious URLs that this BEDOLAB variant connected to. File Reputation technology detected and consequently removed the malicious file detected as TROJ_BREDOLAB.BY and other malware that it may have subsequently download.

Trend Micro Titanium Internet Security provides automatic protection against viruses and spyware for netbook users. It is a lightweight solution that runs in the background to give users the protection they need while browsing the Internet without slowing down their netbooks. Trend Micro Internet Security also protects desktop and laptop users.

Users are also encouraged to adhere to the following best practices when browsing the Internet:

• Because traditional antivirus software does not block legitimate sites even when compromised, users are advised to use security suites that utilize Web Reputation technology to block access to malicious sites.

• Website administrators should regularly scan their sites to ensure that these do not inadvertently host any malware.

• Users should keep their guards up when surfing the Web. Always hover over a link to see if it looks legitimate or not. If the URL looks obscure, it could be a redirect. It is always safer to err on the side of caution.

• Users can run a malware scan as well using free tools like HouseCall to confirm if their systems have been infected.

The following post at the TrendLabs Malware Blog discusses this threat: http://blog.trendmicro.com/lenovo-support-page-compromise-leads-to-bredolab/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BREDOLAB.BY Other related posts are found here: http://en.wikipedia.org/wiki/Market_share_of_leading_PC_vendors http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/bredolab_final.pdf http://forums.lenovo.com/t5/General-Discussion/Warning-Lenovo-download-site-is-infected-by-trojan-downloader/td-p/241901 http://lenovoblogs.com/connections/?p=1492