Is Philippine Bureau of Immigration website compromised, hosting malware?

According to Websense Security Labs™ and the Websense ThreatSeeker® Network, they have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

Clicking the link prompts the user to download a malicious file called "atualizar.exe".

The Philippine Bureau of Immigration is using Joomla as their CMS and there is a file named “atualizar.php” which is a Portuguese word and translate to “update.php”. 

The file was probably replaced or inserted maliciously. This link “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php” if you hit it, the HTTP response status code is 302 which is the most common way of performing a redirection. It redirect to “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe” which probably contain the actual payload…

   1:  

   2: [kramfs@viasvr temp]$ wget http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   3: --2011-08-10 

   4: 17:15:03-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   5: Resolving 

   6: immigration.gov.ph... 124.6.144.116

   7: Connecting to 

   8: immigration.gov.ph|124.6.144.116|:80... connected.

   9: HTTP request sent, 

  10: awaiting response... 302 Found

  11: Location: http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe 

  12: [following]

  13: --2011-08-10 17:15:04-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  14: Reusing 

  15: existing connection to immigration.gov.ph:80.

  16: HTTP request sent, awaiting 

  17: response... No data received.

  18: Retrying.

  19: --2011-08-10 17:15:05-- (try: 2) http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  20: Connecting 

  21: to immigration.gov.ph|124.6.144.116|:80... connected.

  22: HTTP request sent, 

  23: awaiting response... 200 OK

  24: Length: 699460 (683K) 

  25: [application/x-msdos-program]

  26: Saving to: âatualizar.exeâ

  27: 100%[============================================================================>] 

  28: 699,460 63.4K/s in 12s

  29: 2011-08-10 17:15:17 (57.2 KB/s) - âatualizar.exeâ

 

Trend Micro flag this file as malicious….

image

You can find the VirusTotal analysis results for this .exe as it is detected by different AV solutions.

Source Reference: Websense Security Labs

1,583 Comments

  1. specialist offering diagnostics

    Very energetic post, I loved that bit. Will there be a
    part 2?

    Reply
  2. tercio borlenghi jr

    Very rapidly this website will be famous among all blog viewers, due to it’s nice content

    Reply
  3. James Frazer-Mann

    Thanks for any other fantastic post. The place else could anyone
    get that type of info in such an ideal means
    of writing? I have a presentation subsequent week, and I am on the look for such information.

    Reply
  4. Pingback: Macbook skins

  5. Elbert

    Just wish to say your article is as amazing. The clearness in your
    post is just cool and i can assume you’re an expert on this subject.
    Well with your permission allow me to grab your RSS feed to keep updated with
    forthcoming post. Thanks a million and please continue the rewarding work.

    Reply
  6. online business success

    Hi there! Do you know if they make any plugins to protect
    against hackers? I’m kinda paranoid about
    losing everything I’ve worked hard on. Any recommendations?

    Reply
  7. advertising podcast

    Hi just wanted to give you a brief heads up and let you know a few of the pictures aren’t loading correctly.
    I’m not sure why but I think its a linking issue. I’ve tried it in two different browsers
    and both show the same outcome.

    Reply
  8. car hydrogen

    It’s amazing designed for me to have a web site, which
    is good in favor of my experience. thanks admin

    Reply
  9. James Frazer Mann

    Thanks for sharing your thoughts on ig. Regards

    Reply
  10. James Frazer-Mann

    This is my first time visit at here and i am really happy to read
    all at alone place.

    Reply
  11. need business cards

    I always used to read paragraph in news papers but now as I am a
    user of internet thus from now I am using net for articles, thanks
    to web.

    Reply
  12. advanced vehicle diagnostics

    WOW just what I was searching for. Came here by searching for car exhaust

    Reply
  13. business card printing

    I’m extremely impressed together with your writing skills
    as well as with the layout to your weblog. Is this a paid subject matter or did you
    modify it your self? Either way keep up the nice high quality writing, it’s uncommon to see a nice
    weblog like this one nowadays..

    Reply
  14. business advertising

    May I simply just say what a relief to discover a person that genuinely knows what they’re discussing online.
    You certainly understand how to bring a problem to light and make it important.
    More people need to read this and understand this side of your
    story. I was surprised that you aren’t more popular because you
    surely have the gift.

    Reply
  15. car gas saving

    Howdy I am so grateful I found your website, I really found
    you by accident, while I was searching on Digg for something else, Anyhow I am here now and would just like to say thanks a lot
    for a fantastic post and a all round thrilling blog (I also
    love the theme/design), I don’t have time to read through it all at the minute but I have saved it
    and also added in your RSS feeds, so when I have
    time I will be back to read much more, Please do keep up
    the awesome work.

    Reply
  16. podcast first

    My developer is trying to persuade me to move to .net from PHP.
    I have always disliked the idea because of the expenses.
    But he’s tryiong none the less. I’ve been using Movable-type
    on several websites for about a year and am concerned about switching to another platform.
    I have heard fantastic things about blogengine.net.

    Is there a way I can transfer all my wordpress content into it?
    Any kind of help would be really appreciated!

    Reply
  17. innovative security

    If you are going for finest contents like myself, only
    go to see this website everyday for the reason that it offers feature contents,
    thanks

    Reply
  18. security services

    Today, while I was at work, my sister stole my iphone and tested to see if
    it can survive a 25 foot drop, just so she can be a youtube sensation. My
    iPad is now destroyed and she has 83 views. I know this is completely off topic but I had to share it with someone!

    Reply
  19. www.youtube.com

    Hello, every time i used to check webpage posts here
    in the early hours in the dawn, as i enjoy to learn more and
    more.

    Reply
  20. theater systems

    I am now not sure the place you are getting your info, but great topic.
    I needs to spend some time learning much more or working out more.
    Thank you for excellent information I was looking for this information for my mission.

    Reply
  21. cards alone

    Wonderful article! This is the kind of info that are meant to be shared
    across the internet. Disgrace on the seek engines for now not positioning this publish higher!

    Come on over and seek advice from my website . Thank you =)

    Reply
  22. suplemen untuk menambah selera makan anak

    Magnificent website. A lot of useful information here.
    I’m sending it to some pals ans additionally sharing in delicious.
    And certainly, thanks on your sweat!

    Reply
  23. regular podcast

    Very good information. Lucky me I ran across your site by chance (stumbleupon).
    I’ve saved as a favorite for later!

    Reply
  24. Pingback: Togel online

  25. computer keyboard holder

    Awesome! Its in fact awesome article, I have got much clear idea regarding from
    this paragraph.

    Reply
  26. Donald

    Hello There. I found your weblog using msn. This is a very
    well written article. I’ll be sure to bookmark it and return to learn more of your helpful information. Thank you for the post.

    I’ll definitely comeback.

    Reply
  27. Pingback: casino online

  28. tips obat tradisional agar cepat hamil

    Hiya! I know this is kinda off topic but I’d figured
    I’d ask. Would you be interested in trading links or maybe guest writing
    a blog article or vice-versa? My website goes over a lot of the same
    topics as yours and I believe we could greatly benefit from each other.
    If you are interested feel free to shoot me an e-mail.
    I look forward to hearing from you! Wonderful blog
    by the way!

    Reply
  29. automobile diagnostics

    Excellent article. Keep writing such kind of information on your blog.

    Im really impressed by your site.
    Hello there, You’ve performed a fantastic job.
    I’ll definitely digg it and individually recommend to my
    friends. I am sure they’ll be benefited from this
    site.

    Reply
  30. Jamey

    Appreciation to my father who told me about this web site,
    this website is really amazing.

    Reply
  31. car computer holder

    I’m not sure why but this web site is loading extremely slow for me.
    Is anyone else having this problem or is it a problem on my end?
    I’ll check back later and see if the problem still exists.

    Reply
  32. http://vejasp.abril.com.br/

    Hi there, this weekend is nice in favor of me, for the reason that this moment
    i am reading this enormous informative post here at my home.

    Reply
  33. Pingback: bandarq

Leave a Comment

Your email address will not be published. Required fields are marked *