Is Philippine Bureau of Immigration website compromised, hosting malware?

According to Websense Security Labs™ and the Websense ThreatSeeker® Network, they have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

Clicking the link prompts the user to download a malicious file called "atualizar.exe".

The Philippine Bureau of Immigration is using Joomla as their CMS and there is a file named “atualizar.php” which is a Portuguese word and translate to “update.php”. 

The file was probably replaced or inserted maliciously. This link “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php” if you hit it, the HTTP response status code is 302 which is the most common way of performing a redirection. It redirect to “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe” which probably contain the actual payload…

   1:  

   2: [kramfs@viasvr temp]$ wget http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   3: --2011-08-10 

   4: 17:15:03-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   5: Resolving 

   6: immigration.gov.ph... 124.6.144.116

   7: Connecting to 

   8: immigration.gov.ph|124.6.144.116|:80... connected.

   9: HTTP request sent, 

  10: awaiting response... 302 Found

  11: Location: http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe 

  12: [following]

  13: --2011-08-10 17:15:04-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  14: Reusing 

  15: existing connection to immigration.gov.ph:80.

  16: HTTP request sent, awaiting 

  17: response... No data received.

  18: Retrying.

  19: --2011-08-10 17:15:05-- (try: 2) http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  20: Connecting 

  21: to immigration.gov.ph|124.6.144.116|:80... connected.

  22: HTTP request sent, 

  23: awaiting response... 200 OK

  24: Length: 699460 (683K) 

  25: [application/x-msdos-program]

  26: Saving to: âatualizar.exeâ

  27: 100%[============================================================================>] 

  28: 699,460 63.4K/s in 12s

  29: 2011-08-10 17:15:17 (57.2 KB/s) - âatualizar.exeâ

 

Trend Micro flag this file as malicious….

image

You can find the VirusTotal analysis results for this .exe as it is detected by different AV solutions.

Source Reference: Websense Security Labs

5,063 Comments

  1. Pingback: portable trash dumpster

  2. Pingback: debris removal

  3. Pingback: waste management dumpster rental

  4. Pingback: Home

  5. Pingback: how to tighten stomach skin

  6. Pingback: how to tighten loose skin after pregnancy

  7. Pingback: when i lose weight will my skin tighten

  8. Pingback: trash hauling

  9. Pingback: Services

  10. Pingback: pricing

  11. Pingback: dumpster in a bag

  12. Pingback: what can i do to tighten my skin

  13. Pingback: tighten loose stomach skin

  14. Pingback: ways to tighten loose belly skin

  15. Pingback: rolloff dumpster

  16. Pingback: the P shot chicago

  17. Pingback: trash containers for rent

  18. Pingback: hair loss treatment chicago

  19. Pingback: PRP treatment burr ridge

  20. Pingback: dumpster bin rental

  21. Pingback: female hair loss treatment Western Springs

  22. Pingback: fat freezing treatment

  23. Pingback: cool sculpting com

  24. Pingback: Ratings-and-Reviews

  25. Pingback: 40 yard container

  26. Pingback: freezing fat cells for weight loss

  27. Pingback: cold body sculpting cost

  28. Pingback: fat freezing results

  29. Pingback: schedule-an-inspection

  30. Pingback: Event Planner Toronto

  31. Pingback: Audiovisual Company GTA

  32. Pingback: Insurance

  33. Pingback: apple cider vinegar toner for acne

  34. Pingback: apple cider vinegar glass cleaner

  35. Pingback: apple cider vinegar recipes

  36. Pingback: bragg organic raw apple cider vinegar 32 ounce

  37. floral hat

    Hi! I know this is kind of off topic but I was wondering which blog platform are
    you using for this site? I’m getting tired of WordPress because I’ve had problems with
    hackers and I’m looking at alternatives for another platform.
    I would be awesome if you could point me in the direction of a good platform.

    Reply
  38. Pingback: Sleep Mask

  39. check out this site

    amazing website

    Reply
  40. Pingback: Premium knife sharpening stone

  41. Pingback: snowboard health

  42. Pingback: virtual snowboard school

  43. Pingback: beginner snowboard lessons

  44. Pingback: Pool Cleaning

  45. read this article

    Good day! This is my 1st comment here so I just wanted to give a quick shout out
    and tell you I really enjoy reading through your
    posts. Can you recommend any other blogs/websites/forums that deal with the same subjects?
    Thanks a lot!

    Reply
  46. Pingback: Atlanta Pool

  47. Pingback: snowboard IQ

  48. Pingback: virtual snowboard school

  49. Pingback: snowboard lesson

  50. Pingback: expert snowboard lessons

Leave a Comment

Your email address will not be published. Required fields are marked *