Is Philippine Bureau of Immigration website compromised, hosting malware?

According to Websense Security Labs™ and the Websense ThreatSeeker® Network, they have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

Clicking the link prompts the user to download a malicious file called "atualizar.exe".

The Philippine Bureau of Immigration is using Joomla as their CMS and there is a file named “atualizar.php” which is a Portuguese word and translate to “update.php”. 

The file was probably replaced or inserted maliciously. This link “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php” if you hit it, the HTTP response status code is 302 which is the most common way of performing a redirection. It redirect to “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe” which probably contain the actual payload…

   1:  

   2: [kramfs@viasvr temp]$ wget http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   3: --2011-08-10 

   4: 17:15:03-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   5: Resolving 

   6: immigration.gov.ph... 124.6.144.116

   7: Connecting to 

   8: immigration.gov.ph|124.6.144.116|:80... connected.

   9: HTTP request sent, 

  10: awaiting response... 302 Found

  11: Location: http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe 

  12: [following]

  13: --2011-08-10 17:15:04-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  14: Reusing 

  15: existing connection to immigration.gov.ph:80.

  16: HTTP request sent, awaiting 

  17: response... No data received.

  18: Retrying.

  19: --2011-08-10 17:15:05-- (try: 2) http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  20: Connecting 

  21: to immigration.gov.ph|124.6.144.116|:80... connected.

  22: HTTP request sent, 

  23: awaiting response... 200 OK

  24: Length: 699460 (683K) 

  25: [application/x-msdos-program]

  26: Saving to: âatualizar.exeâ

  27: 100%[============================================================================>] 

  28: 699,460 63.4K/s in 12s

  29: 2011-08-10 17:15:17 (57.2 KB/s) - âatualizar.exeâ

 

Trend Micro flag this file as malicious….

image

You can find the VirusTotal analysis results for this .exe as it is detected by different AV solutions.

Source Reference: Websense Security Labs

1,509 Comments

  1. mink lashes

    Hey I am so excited I found your blog page, I really found you by mistake, while I was searching on Bing for something else, Nonetheless I am here now and would just like to say many thanks for a incredible post and a all round thrilling blog (I also love the theme/design), I don’t have time to read through it all at the moment but I have book-marked it and also added your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the fantastic work.

    Reply
  2. click here

    I’m amazed, I have to admit. Seldom do I come across a blog that’s both equally educative and engaging, and let me tell you, you’ve hit the nail on the head. The problem is an issue that not enough men and women are speaking intelligently about. Now i’m very happy that I came across this during my hunt for something regarding this.

    Reply
  3. click here

    I’m not sure why but this website is loading incredibly slow for me. Is anyone else having this problem or is it a issue on my end? I’ll check back later and see if the problem still exists.

    Reply
  4. home page

    Hi terrific website! Does running a blog such as this require a lot of work? I have absolutely no knowledge of coding but I had been hoping to start my own blog soon. Anyways, should you have any ideas or tips for new blog owners please share. I know this is off topic however I just had to ask. Thanks a lot!

    Reply
  5. click here

    Wow that was strange. I just wrote an really long comment but after I clicked submit my comment didn’t appear. Grrrr… well I’m not writing all that over again. Anyway, just wanted to say excellent blog!

    Reply
  6. click here

    Right away I am going to do my breakfast, when having my breakfast coming over again to read additional news.

    Reply
  7. 360 frontal

    joli laconique 360 frontal https://www.youtube.com/watch?v=ny8rUpI_98I, très migon, message très agile

    Reply
  8. click here

    Why people still use to read news papers when in this technological globe everything is existing on net?

    Reply
  9. website

    Great article.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *