Is Philippine Bureau of Immigration website compromised, hosting malware?

According to Websense Security Labs™ and the Websense ThreatSeeker® Network, they have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

Clicking the link prompts the user to download a malicious file called "atualizar.exe".

The Philippine Bureau of Immigration is using Joomla as their CMS and there is a file named “atualizar.php” which is a Portuguese word and translate to “update.php”. 

The file was probably replaced or inserted maliciously. This link “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php” if you hit it, the HTTP response status code is 302 which is the most common way of performing a redirection. It redirect to “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe” which probably contain the actual payload…

   1:  

   2: [kramfs@viasvr temp]$ wget http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   3: --2011-08-10 

   4: 17:15:03-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   5: Resolving 

   6: immigration.gov.ph... 124.6.144.116

   7: Connecting to 

   8: immigration.gov.ph|124.6.144.116|:80... connected.

   9: HTTP request sent, 

  10: awaiting response... 302 Found

  11: Location: http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe 

  12: [following]

  13: --2011-08-10 17:15:04-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  14: Reusing 

  15: existing connection to immigration.gov.ph:80.

  16: HTTP request sent, awaiting 

  17: response... No data received.

  18: Retrying.

  19: --2011-08-10 17:15:05-- (try: 2) http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  20: Connecting 

  21: to immigration.gov.ph|124.6.144.116|:80... connected.

  22: HTTP request sent, 

  23: awaiting response... 200 OK

  24: Length: 699460 (683K) 

  25: [application/x-msdos-program]

  26: Saving to: âatualizar.exeâ

  27: 100%[============================================================================>] 

  28: 699,460 63.4K/s in 12s

  29: 2011-08-10 17:15:17 (57.2 KB/s) - âatualizar.exeâ

 

Trend Micro flag this file as malicious….

image

You can find the VirusTotal analysis results for this .exe as it is detected by different AV solutions.

Source Reference: Websense Security Labs

3,807 Comments

  1. Pingback: Bridal gifts

  2. Pingback: reviews of italian language schools

  3. Pingback: how to start a blog on wordpress

  4. Pingback: Stripster Gent

  5. pisces man in love with a cancer woman

    That is the right blog for anyone who desires to seek out out about this topic. You realize so much its almost arduous to argue with you (not that I truly would want…HaHa). You positively put a new spin on a subject thats been written about for years. Great stuff, simply great!

    Reply
  6. Pingback: italian lessons for beginners

  7. buy hacklink google

    It’s onerous to seek out knowledgeable people on this matter, however you sound like you realize what you’re speaking about! Thanks

    Reply
  8. Pingback: italia school

  9. Pingback: Lingua italiana imparara

  10. Pingback: youtube targeted views russia

  11. Itamar Serpa Fernandes

    Hi there very nice web site!! Guy .. Beautiful .. Superb ..

    I will bookmark your website and take the feeds also? I’m glad
    to seek out so many useful information right here in the submit, we need develop
    more strategies on this regard, thank you for sharing.
    . . . . .

    Reply
  12. Pingback: Flyer printing cheap near me

  13. leather sofa cleaning london

    very good post, i certainly love this website, carry on it

    Reply
  14. Pingback: us visa visit mexico

  15. Pingback: Bed Bug Pest Control

  16. Pingback: for usa visa

  17. Pingback: Design and develop ecommerce wordpress website

  18. Pingback: Bed Bug Company

  19. youtube networks

    I’m impressed, I have to say. Actually rarely do I encounter a blog that’s each educative and entertaining, and let me inform you, you have got hit the nail on the head. Your idea is outstanding; the issue is one thing that not enough people are speaking intelligently about. I’m very completely happy that I stumbled throughout this in my seek for one thing referring to this.

    Reply
  20. Pingback: Terrasoverkappingen Limburg

  21. Pingback: women's crossbody bag green

  22. Pingback: Pergola

  23. travel diary

    Pretty element of content. I just stumbled upon your website and in accession capital to say that I acquire actually enjoyed
    account your weblog posts. Any way I will be subscribing to your
    feeds or even I fulfillment you get entry to persistently quickly.

    Reply
  24. inka express

    This is the best weblog for anyone who wants to find out about this topic. You notice a lot its almost laborious to argue with you (not that I truly would need…HaHa). You positively put a new spin on a subject thats been written about for years. Great stuff, just great!

    Reply
  25. Pingback: Latest Cricket News

  26. Pingback: samleiestillinger

  27. buy hacklink google

    This really answered my problem, thank you!

    Reply
  28. Pingback: Brazil wood floors

  29. Pingback: wood floor repair

  30. Pingback: teeth bleaching kit

  31. travel news

    Have you ever thought about adding a little bit more than just your articles?
    I mean, what you say is valuable and all. But think of if you added some great graphics or video clips to give your posts more,
    “pop”! Your content is excellent but with pics and clips, this website could definitely be one of the best
    in its niche. Terrific blog!

    Reply
  32. Pingback: Zwembad op maat

  33. Pingback: dumpster rental Indiana

  34. Pingback: Zwembad bouwen

  35. Pingback: small dumpsters for rent

  36. soccer shoes pattern

    We absolutely love your blog and find most of your post’s to be
    what precisely I’m looking for. Do you offer guest writers to write
    content for yourself? I wouldn’t mind composing a post or elaborating on some of the
    subjects you write with regards to here.
    Again, awesome site!

    Reply
  37. Pingback: dumpster rental waterford

  38. Pingback: Aanleg zwembad

  39. Pingback: commercial dumpster rental

  40. Pingback: dumpster rates

  41. Pingback: Best Insurance Aurora IL

  42. Pingback: digitizer

  43. Pingback: op?ration myopie

  44. Pingback: best resveratrol

  45. Pingback: Dakwerkers-dakwerken.be

  46. Pingback: lasik prix

  47. expert asbestos removal

    I simply couldn’t leave your website before suggesting that I really
    enjoyed the usual information an individual supply to your guests?
    Is going to be back incessantly to check up on new posts

    Reply
  48. Pingback: 100% Blackout Roller Blinds In European Design Solid Color Made to Order Blinds

  49. Pingback: Vernieuwen dak

  50. Pingback: Dakwerkers Limburg

Leave a Comment

Your email address will not be published. Required fields are marked *