Warning! Lenovo download sites infected by trojan downloader

[Mornsgrans]

Solved ( klick here)

----------------------------------------------------------------------
Hello
the following Driver matrices sites for Thinkpads contain a link to a trojan downloader:

hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-61596.html (R51e)
hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-67100.html (X41 Tablet)
hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-68184.html (Reserve Edition)
hxxp://download.lenovo.com/lenovo/content/ddfm/MIGR-46024.html (R40, R40e)

hxxp://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-74581 (Edge)

A script leads to hxxp://volgo-marun.cn/pek/...
("http" changed to "hxxp")

I have sent the informations via site-feedback to Lenovo and informed the forums.lenovo.com

Be carefeul

Link to warning in german thinkpad-forum:
http://www.thinkpad-forum.de/software/t ... bermatrix/

Link to lenovo-forum:
http://forums.lenovo.com/t5/General-Dis ... alse#M7996

[Harryc]

This doesn't make sense. How would a Lenovo corporate website get hacked? How does the script run?

[Mornsgrans]

It is not the first website which got hacked - if it is real.

Attaced you will find the sourcecode of the frame with the link to the trojan downloader:


Feel free to test it.
If you follow the link to the german thinkpad-forum in my posting above, yor will find the antivirus-warnings (screenshots) of several users who tested it.

Answer of a moderator in the Lenovo-forum

Mornsgrans - thanks for the info. we've been discussing this internally since early this morning and are looking into the situation. we hope to have a solution soon.

thanks,
-erik

[Harryc]

Well, this is not good news, but thanks for sharing it. If Lenovo got hacked , the implications are far beyond a simple trojan downloader. How many of you have personal information at IBM or Lenovo in accounts there? Ever buy anything from Lenovo or IBM? The other implication is that their internal network security is not good.

[Mornsgrans]

Let's wait for the results and don't wonder, if the Lenovo website will be turned off.

[erik]

sadly, not much can be done on the weekend.   the news is being spread internally and it will be handled as soon as humanly possible.

[killer]

This is really scary, so thanks to Mornsgrans for bringing it to everyone's attention.

Meanwhile I'll stay clear of Lenovo's website.

[ThinkRob]

Woah.

You're right.

There is indeed a hidden IFRAME on those pages.

Yikes. Might want to tip off /. etc...

[moronoxyd]

Well, this is not good news, but thanks for sharing it. If Lenovo got hacked , the implications are far beyond a simple trojan downloader. How many of you have personal information at IBM or Lenovo in accounts there? Ever buy anything from Lenovo or IBM? The other implication is that their internal network security is not good.

Well, that Lenovo's webserver was compromised does not automatically mean that any personal information is in jeopardy.

It very much depends on what security hole was used to install the trojan. Maybe the intruders only had/have very limited access, or maybe they can do much worse.

[jdhurst]

Let us hope they have contained this problem. I have a T61p that is not on this list above. I know a new version of Access Connections is out, so I went there today, downloaded it and installed it. I sync'd the drivers back to my M90p and so far I do not see any problems of any kind. .... JDH

[Mornsgrans]

Let us hope they have contained this problem. I have a T61p that is not on this list above. I know a new version of Access Connections is out, so I went there today, downloaded it and installed it. I sync'd the drivers back to my M90p and so far I do not see any problems of any kind. .... JDH

My Firefox blocks every ThinkPad-model i select from the driver matrix-page.

See: http://forums.lenovo.com/t5/General-Dis ... 1901#M8004


Edit:
I've got the information a few minutes ago - but not tested - that the server from which the trojan downloader gets fetched, is up again.

Edit 2:

heise.de wrote a short time ago:

Update:
There is now solid evidence that the dropper was the "Phoenix kit" and reloaded at the pest to the "Bredolab Trojan".

Info about the trojan horse: http://www.malwaredomainlist.com/mdl.ph ... uantity=50

Heise also wrote, that the iFtame ha been removed from the Lenovo download-site but please standby until the moderators in the http://forum.lenovo.com/t5/General-Disc ... 901/page/2 confirm it.

[Mornsgrans]

Mark_Lenovo from forum.lenovo.com (2010.06.21):

All,

Our e-support teams have been actively investigating and working to correct this issue. An initial round of clean up has been completed, and a secondary re-validation is in progress to ensure all infected files have been remediated.

Investigation of the source of the infection is also underway, and I feel confident that preventative measures will be undertaken to prevent a similar future recurrence.

It may take up to 24 hours for our site to be fully reviewed and cleared by many of these 3rd party alerts.

We appreciate your patience as we work through this, and will provide further updates once the work is completed.

Best regards,

Mark

Edit:
Update by Mark_Lenovo (2010.06.22)

The site has been confirmed cleared of Malware, and Google has rescanned and cleared the ban / warnings.

You should be able to access the site with confidence now. If you accessed the download section between late 6/18/2010 and 6/21/2010, I would recommend that you run an antivirus scan on your system. I would also suggest ensuring that the AV that you are using is up to date.

Additional updates to follow.

[Mornsgrans]

Last update:

Details about the trojan an the web-site linked in the souspicious iFrame can be found here:
http://www.wilderssecurity.com/showthread.php?p=1698250

The discussion in the Lenovo-forum has been finished. I hope that Lenovo will establish an emergency-system that also on bank-holidays an at weekends Lenovo will be able to act earlier...

[GomJabbar]

You should be able to access the site with confidence now. If you accessed the download section between late 6/18/2010 and 6/21/2010, I would recommend that you run an antivirus scan on your system. I would also suggest ensuring that the AV that you are using is up to date.

Hmmm. I had confidence before. Not so much now.

Turns out that I accessed the download site during those dates and I was surprised that my AV software did not report anything. I subsequently performed an AV scan from SAFE MODE and got a clean report. Looking again at the original post, I see that I was not in the matrix pages of the systems affected. :>)

I would also suggest ensuring that the AV that you are using is up to date.

I say what's good for the goose is good for the gander.