Is Philippine Bureau of Immigration website compromised, hosting malware?

According to Websense Security Labs™ and the Websense ThreatSeeker® Network, they have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

Clicking the link prompts the user to download a malicious file called "atualizar.exe".

The Philippine Bureau of Immigration is using Joomla as their CMS and there is a file named “atualizar.php” which is a Portuguese word and translate to “update.php”. 

The file was probably replaced or inserted maliciously. This link “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php” if you hit it, the HTTP response status code is 302 which is the most common way of performing a redirection. It redirect to “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe” which probably contain the actual payload…

   1:  

   2: [kramfs@viasvr temp]$ wget http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   3: --2011-08-10 

   4: 17:15:03-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   5: Resolving 

   6: immigration.gov.ph... 124.6.144.116

   7: Connecting to 

   8: immigration.gov.ph|124.6.144.116|:80... connected.

   9: HTTP request sent, 

  10: awaiting response... 302 Found

  11: Location: http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe 

  12: [following]

  13: --2011-08-10 17:15:04-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  14: Reusing 

  15: existing connection to immigration.gov.ph:80.

  16: HTTP request sent, awaiting 

  17: response... No data received.

  18: Retrying.

  19: --2011-08-10 17:15:05-- (try: 2) http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  20: Connecting 

  21: to immigration.gov.ph|124.6.144.116|:80... connected.

  22: HTTP request sent, 

  23: awaiting response... 200 OK

  24: Length: 699460 (683K) 

  25: [application/x-msdos-program]

  26: Saving to: âatualizar.exeâ

  27: 100%[============================================================================>] 

  28: 699,460 63.4K/s in 12s

  29: 2011-08-10 17:15:17 (57.2 KB/s) - âatualizar.exeâ

 

Trend Micro flag this file as malicious….

image

You can find the VirusTotal analysis results for this .exe as it is detected by different AV solutions.

Source Reference: Websense Security Labs

2,132 Comments

  1. Pingback: read leadership

  2. Pingback: buy beastiality porn

  3. Pingback: resources decor

  4. Pingback: prowadzenie sklepu internetowego

  5. Pingback: midnight g box firmware

  6. Pingback: read dresses

  7. Pingback: Internet Marketing In Atlanta

  8. Pingback: Build a Bike for Charity

  9. Pingback: like it

  10. Pingback: sheer lingerie

  11. Pingback: Parrots

  12. Pingback: Sell Lego

  13. Pingback: how to attract a woman instantly

  14. Pingback: Aikijujitsu

  15. Pingback: GTA V

  16. Pingback: Get PSN Gratuit

  17. Pingback: Insta Hacker

  18. Pingback: Atlanta Local Business SEO

  19. Pingback: Anti Aging Cream

  20. Pingback: boston ma limousine service

  21. Pingback: Name Rings

  22. Pingback: mario games 66

  23. Pingback: razor

  24. Pingback: boston taxi from airport

  25. Pingback: www.gostate.com

  26. Pingback: Goriani art

  27. Pingback: best phytoceramide supplement

  28. Pingback: How can you Increase Your LIst using Solo Ads?

  29. Pingback: Al Masry Afandi

  30. Pingback: Read This

  31. Pingback: netherlands hosting

  32. Pingback: does pure garcinia cambogia really work

  33. Pingback: vin

  34. Pingback: marjariasana

  35. Pingback: Balance your Home business and family life

  36. Pingback: pullingoil

  37. Pingback: work at home

  38. Pingback: make money on the internet

  39. Pingback: make money online

  40. Pingback: Shergate Condos Mississauga

  41. Pingback: where can you purchase garcinia cambogia

  42. Pingback: blog

  43. Pingback: online geld verdienen

  44. Pingback: AZ Pool Contractor

  45. Pingback: pokemon t shirt

  46. Pingback: Addiction Treatment

  47. Pingback: Need For Speed

  48. Pingback: where can you buy forskolin

  49. Pingback: garcinia cambogia pill

  50. Pingback: http://aaadesignsforweb.com

Leave a Comment

Your email address will not be published. Required fields are marked *