Is Philippine Bureau of Immigration website compromised, hosting malware?

According to Websense Security Labs™ and the Websense ThreatSeeker® Network, they have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

Clicking the link prompts the user to download a malicious file called "atualizar.exe".

The Philippine Bureau of Immigration is using Joomla as their CMS and there is a file named “atualizar.php” which is a Portuguese word and translate to “update.php”. 

The file was probably replaced or inserted maliciously. This link “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php” if you hit it, the HTTP response status code is 302 which is the most common way of performing a redirection. It redirect to “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe” which probably contain the actual payload…

   1:  

   2: [kramfs@viasvr temp]$ wget http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   3: --2011-08-10 

   4: 17:15:03-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   5: Resolving 

   6: immigration.gov.ph... 124.6.144.116

   7: Connecting to 

   8: immigration.gov.ph|124.6.144.116|:80... connected.

   9: HTTP request sent, 

  10: awaiting response... 302 Found

  11: Location: http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe 

  12: [following]

  13: --2011-08-10 17:15:04-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  14: Reusing 

  15: existing connection to immigration.gov.ph:80.

  16: HTTP request sent, awaiting 

  17: response... No data received.

  18: Retrying.

  19: --2011-08-10 17:15:05-- (try: 2) http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  20: Connecting 

  21: to immigration.gov.ph|124.6.144.116|:80... connected.

  22: HTTP request sent, 

  23: awaiting response... 200 OK

  24: Length: 699460 (683K) 

  25: [application/x-msdos-program]

  26: Saving to: âatualizar.exeâ

  27: 100%[============================================================================>] 

  28: 699,460 63.4K/s in 12s

  29: 2011-08-10 17:15:17 (57.2 KB/s) - âatualizar.exeâ

 

Trend Micro flag this file as malicious….

image

You can find the VirusTotal analysis results for this .exe as it is detected by different AV solutions.

Source Reference: Websense Security Labs

4,372 Comments

  1. Pingback: career

  2. Pingback: sue johanson super head honcho

  3. Pingback: executive search

  4. Pingback: waterproof suction cup vibrator

  5. Carlos Eduardo Veiga

    I don’t even know how I ended up right here, but I thought this put up was once great. I do not know who you’re but certainly you are going to a well-known blogger if you are not already. Cheers!|

    Reply
  6. Pingback: adam and eve online coupons

  7. como ganar dinero en internet

    Aw, this was a really nice post. In idea I would like to put in writing like this additionally – taking time and precise effort to make an excellent article… however what can I say… I procrastinate alot and under no circumstances seem to get something done.

    Reply
  8. coupon code

    Oh my goodness! a tremendous article dude. Thank you However I am experiencing subject with ur rss . Don’t know why Unable to subscribe to it. Is there anyone getting an identical rss downside? Anyone who is aware of kindly respond. Thnkx

    Reply
  9. Itamar Serpa Fernandes

    Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates. I’ve been looking for a plug-in like this for quite some time and was hoping maybe you would have some experience with something like this. Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.|

    Reply
  10. click here

    There’s noticeably a bundle to learn about this. I assume you made certain good factors in options also.

    Reply
  11. check it out

    you have an ideal weblog right here! would you prefer to make some invite posts on my weblog?

    Reply
  12. Pingback: Dryer Vent Cleaning

  13. Pingback: Dryer safety

  14. Pingback: Dryer lint build up

  15. Pingback: Dryer vent cleaning Canton

  16. Pingback: hvac ducting

  17. Pingback: how do you clean dryer vent

  18. Pingback: indoor gas dryer vent

  19. Pingback: clothes dryer venting

  20. Pingback: dryer venting kits

  21. Pingback: where to buy best vibrator

  22. Itamar Serpa Fernandes

    Heya i am for the first time here. I found this board and I find It truly useful & it helped me out much. I hope to give something back and help others like you aided me.|

    Reply
  23. Pingback: Dryer vent cleaning how to

  24. Pingback: Dryer Vent Wizard Flatbush

  25. Pingback: high end vibrator

  26. Pingback: pink vibrator

  27. Pingback: tow chains for sale

  28. check this out

    Youre so cool! I dont suppose Ive read something like this before. So nice to seek out anyone with some authentic thoughts on this subject. realy thank you for starting this up. this web site is one thing that is needed on the web, somebody with a little originality. useful job for bringing one thing new to the web!

    Reply
  29. Pingback: HYDRAULIC ATHENS

  30. Pingback: sell a car for parts

  31. Grupo Coral fraude

    Good day! Do you know if they make any plugins to assist with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results. If you know of any please share. Cheers!|

    Reply
  32. Pingback: Urn Candles

  33. Pingback: Autorehvid

  34. Pingback: How To Lose 10 Pounds In A Week Without Exercise

  35. Egli Diana Pinto

    Hello There. I found your weblog the usage of msn. That is an extremely well written article. I will be sure to bookmark it and come back to read extra of your helpful information. Thanks for the post. I’ll definitely comeback.|

    Reply
  36. Pingback: clitoral vibrator review

  37. fahrenheit451.org

    I just like the helpful information you provide in your articles.

    I will bookmark your weblog and test again right here frequently.
    I’m reasonably certain I’ll be told many new stuff right here!
    Good luck for the next!

    Reply
  38. Pingback: vibrators

  39. Pingback: Lamellrehvid

  40. Pingback: Rehvide müük Tallinnas

  41. Grupo Coral

    Hello! I’m at work browsing your blog from my new iphone 4! Just wanted to say I love reading through your blog and look forward to all your posts! Carry on the outstanding work!|

    Reply
  42. Pingback: Talverehvid

  43. Pingback: Soodsad rehvid Tallinnas

  44. Pingback: Suvekummid

  45. Pingback: www.kumm.ee/rehvi-blogi-uudised/tehnikamaailma-suverehvitest-2013/

  46. Pingback: Rehvide vahetus

  47. Pingback: Veljeremont Tallinnas

  48. Pingback: Rehvide vahetus Tallinnas

  49. Pingback: Autode käsipesu

  50. Pingback: South India Tour Packages

Leave a Comment

Your email address will not be published. Required fields are marked *