SechoDB, trekking through tech...

  • Home
  • Technical Blog
  • Forums
  • Projects
    • Xbox 360 Arcade Stick
    • HomeCade (Arcade Cab)
    • Radio (CB)
    • Server OOB
  • About
    • Contact

Lenovo site infects users with Trojan.

6/24/2010

0 Comments

 
Picture
The support site of leading Chinese PC manufacturer Lenovo has been compromised by unknown attackers who injected a rogue IFrame into the pages over the weekend. Security researchers warn that unwary visitors looking for drivers are exposed to several exploits that install the Bredolab trojan onto their computers.

According to a report from Vietnamese antivirus vendor Bkis, the pages have been infected since at least Sunday afternoon. However, some users have been reporting getting antivirus warnings when visiting Lenovo's download website since Saturday.

The IFrame points to an exploit kit hosted on a domain called volgo-marun.cn. After performing several checks to determine what vulnerable software they had installed on their computer, the visitors were served with exploits targeting older versions of Internet Explorer, Adobe Reader or Adobe Flash player.

"These exploit codes attempt to load file hxxp://volgo-marun.cn/pek/exe.exe which is a virus, onto victim’s computer. The virus is a new variant of Bredolab Botnet […]. After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain sicha-linna8.com," Le Minh Hung, senior security researcher at Bkis, writes.

At the moment, the malicious executable is detected by only ten of the 41 antivirus products listed on VirusTotal. The entire download.lenovo.com subdomain has been blacklisted by Google's Safe Browsing service. This means that Firefox or Chrome users should see malware warnings when opening resources hosted on it.

"Of the 46 pages we tested on the site over the past 90 days, 39 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-06-20, and the last time suspicious content was found on this site was on 2010-06-20. Malicious software includes 1 trojan(s). Malicious software is hosted on 1 domain(s), including volgo-marun.cn/," a detailed explanation of the Google warnings reads.

Even though the malicious .cn domain appears to be dead at the moment, it could return back online at any time. Therefore, users are advised to stay clear of the Lenovo support website for a couple of days, until the manufacturer has a chance to clean it up and plug the hole that allowed the compromise in the first place.

As reported by Softpedia Security.

And, as you'll soon start seeing a pattern in this types of attacks, those being that they always target older versions of software, make sure you have your computers' software up to date! Having the latest version of a program always has its benefits so, Upgrade and Update!
Picture
0 Comments

Microsoft Security Advisory

6/15/2010

0 Comments

 
Microsoft issued a new Security Advisory for a flaw in the Windows Help and Support Center. The vulnerability affects Windows XP and Server 2003, Vista and 7 are unaffected.

This vulnerability allows the help links in the Help Center to be hijacked to run executables on the victim’s computer.

Unregistering the HCP Protocol prevents this issue from being exploited on affected systems.

For that you'll need to access the ROOT hive of your registry. If you don't know what that is or are not familiar with it, I suggest you don't mess with it. Doing so can render your computer useless.

So, you can do 2 things, delete the HCP Registry or Rename it.

As always, back up your registry first.
1.Click Start, click Run, type Regedit in the Open box, and then click OK
2.Locate and then click the following registry key: HKEY_CLASSES_ROOT\HCP
3. Click the File menu and select Export
4.In the Export Registry File dialog box, enter HCP_Procotol_Backup.reg and click Save.

Note This will create a backup of this registry key in the My Documents folder by default.

Then proceed to delete the registry key.

5. Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes.

or rename it...

6. Right click the HCP key and click Rename on the pop up menu. Change it's name to something like "HCP-Offline" "HCP-Disable" or whatever you like.

And once there's notice that the issue is resolved just remember to go back and change it's name back to HCP.

Stay safe out there.
0 Comments

Troubles in Flash

6/12/2010

0 Comments

 
Flash
The Flash platform has been subject of very serious attacks and exploits lately. http://blogs.adobe.com/asset/2010/06/

Make sure your PC is not compromised, update to the latest version of Flash (ver. 10.1) here: http://get.adobe.com/flashplayer/

0 Comments

    Theme

    Computer, Laser Printer and Electronics repair, tips & tricks.

    Archives

    March 2014
    November 2013
    October 2013
    August 2013
    July 2013
    May 2013
    April 2013
    March 2013
    July 2010
    June 2010

    Categories

    All
    3d
    Alert
    Atom
    Barnes&Noble
    Browsers
    Chrome
    Compare
    Datacenter
    Display
    Droid
    Dual Boot
    Ebook
    Error Codes
    Firefox
    Flash
    Health
    Htc Incredible
    Ie
    Lifehacker
    Linux
    Mbr
    Mouse
    Nook
    Onlive
    Opera
    Phone
    Power Adapters
    Power Supply
    Security
    Server
    Speed Test
    Streaming
    Testing
    Video
    Video Tutorial
    Warning
    Win Xp
    Xbox

    RSS Feed

Powered by Create your own unique website with customizable templates.