Is Philippine Bureau of Immigration website compromised, hosting malware?

According to Websense Security Labs™ and the Websense ThreatSeeker® Network, they have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

Clicking the link prompts the user to download a malicious file called "atualizar.exe".

The Philippine Bureau of Immigration is using Joomla as their CMS and there is a file named “atualizar.php” which is a Portuguese word and translate to “update.php”. 

The file was probably replaced or inserted maliciously. This link “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php” if you hit it, the HTTP response status code is 302 which is the most common way of performing a redirection. It redirect to “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe” which probably contain the actual payload…

   1:  

   2: [kramfs@viasvr temp]$ wget http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   3: --2011-08-10 

   4: 17:15:03-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   5: Resolving 

   6: immigration.gov.ph... 124.6.144.116

   7: Connecting to 

   8: immigration.gov.ph|124.6.144.116|:80... connected.

   9: HTTP request sent, 

  10: awaiting response... 302 Found

  11: Location: http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe 

  12: [following]

  13: --2011-08-10 17:15:04-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  14: Reusing 

  15: existing connection to immigration.gov.ph:80.

  16: HTTP request sent, awaiting 

  17: response... No data received.

  18: Retrying.

  19: --2011-08-10 17:15:05-- (try: 2) http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  20: Connecting 

  21: to immigration.gov.ph|124.6.144.116|:80... connected.

  22: HTTP request sent, 

  23: awaiting response... 200 OK

  24: Length: 699460 (683K) 

  25: [application/x-msdos-program]

  26: Saving to: âatualizar.exeâ

  27: 100%[============================================================================>] 

  28: 699,460 63.4K/s in 12s

  29: 2011-08-10 17:15:17 (57.2 KB/s) - âatualizar.exeâ

 

Trend Micro flag this file as malicious….

image

You can find the VirusTotal analysis results for this .exe as it is detected by different AV solutions.

Source Reference: Websense Security Labs

5,057 Comments

  1. Pingback: Eliezer Pozner

  2. Pingback: Eliezer Pozner

  3. Pingback: Eliezer Pozner

  4. Pingback: Wolfgang Halbig

  5. Pingback: Eliezer Pozner

  6. Alec Kraft

    Hello there! Do you know if they make any plugins to assist with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results. If you know of any please share. Cheers!|

    Reply
  7. Donn Serdula

    Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to far added agreeable from you! By the way, how could we communicate?|

    Reply
  8. Pingback: Sandy Hook Shooting

  9. Pingback: Sandy Hook Shooting

  10. Pingback: Lenny Pozner

  11. Pingback: perth wedding photojournalism

  12. home inspector training dallas

    Inspectors may test the water for bacteria.

    Reply
  13. Lauran Beardall

    Hello, I want to subscribe for this weblog to get most recent updates, therefore where can i do it please assist.|

    Reply
  14. Samual Rocque

    I’m not sure where you’re getting your info, but great topic. I needs to spend some time learning more or understanding more. Thanks for great information I was looking for this info for my mission.|

    Reply
  15. Pingback: Lenny Pozner

  16. fitness routine

    Right away I am going to do my breakfast,
    after having my breakfast coming again to read additional news.

    Reply
  17. Leopoldo Pruskowski

    It’s actually a cool and useful piece of information. I’m satisfied that you just shared this useful info with us. Please keep us up to date like this. Thanks for sharing.|

    Reply
  18. CRYPTOCOINS

    Heya i am for the first time here. I came across this board and I find It truly useful
    & it helped me out a lot. I hope to give something back and help others
    like you helped me.

    Reply
  19. Kyra Raygosa

    Nice blog here! Also your site loads up very fast! What web host are you using? Can I get your affiliate link to your host? I wish my website loaded up as quickly as yours lol|

    Reply
  20. Robbie Mcclarin

    Hello my family member! I want to say that this article is awesome, great written and include approximately all vital infos. I would like to look more posts like this .|

    Reply
  21. Melody Well

    This paragraph will help the internet visitors for building up new blog or even a weblog from start to end.|

    Reply
  22. Nicolas Ruisi

    Hmm is anyone else having problems with the pictures on this blog loading? I’m trying to determine if its a problem on my end or if it’s the blog. Any feedback would be greatly appreciated.|

    Reply
  23. garage door installation cost lowes

    Considering a DIY garage door set up mission?

    Reply
  24. Bettye Bascas

    hello!,I like your writing very much! proportion we keep in touch extra about your post on AOL? I require a specialist on this house to unravel my problem. Maybe that is you! Having a look ahead to look you. |

    Reply
  25. Waldo Ruscher

    Way cool! Some extremely valid points! I appreciate you penning this article and also the rest of the site is really good.|

    Reply
  26. Yong Blasengame

    I am actually delighted to read this weblog posts which includes plenty of useful information, thanks for providing these statistics.|

    Reply
  27. Tobias Bendell

    Hi there to all, how is all, I think every one is getting more from this website, and your views are good for new visitors.|

    Reply
  28. clubrocco.com

    Thanks for finally writing about >Is Philippine Bureau of Immigration website compromised,
    hosting malware? – Kramfs Tech Chronicles <Loved it!

    Reply
  29. Pingback: Cool pack

  30. Carissa

    Hi colleagues, good paragraph and pleasant urging commented at
    this place, I am in fact enjoying by these.

    Reply
  31. Pingback: Pre-owned Diamond Engagement Ring

  32. Tony Peltz

    Useful info. Fortunate me I discovered your web site by accident, and I’m shocked why this coincidence didn’t took place earlier! I bookmarked it.|

    Reply
  33. Dalila Feagan

    Hello every one, here every person is sharing these kinds of familiarity, therefore it’s good to read this weblog, and I used to pay a quick visit this blog daily.|

    Reply
  34. Pingback: Ebay Deal on Engagement Ring Diamond

  35. Pingback: Diamond Solitaire Ring

  36. Pingback: Lunch box

  37. find more info

    Howdy, There’s no doubt that your web site might be
    having web browser compatibility issues. Whenever I take a look at your web site in Safari, it looks fine but when opening in I.E., it’s got some overlapping
    issues. I just wanted to provide you with a quick heads up!
    Apart from that, great site!

    Reply
  38. Pingback: Diamond Engagement Ring for sale

  39. Pingback: Frost pack

  40. Pingback: Ebay Deals on Diamond Rings

  41. Pingback: Frost pack

  42. Pingback: Diamond Solitaire Ring

  43. Denny Ybos

    Hola! I’ve been reading your blog for some time now and finally got the bravery to go ahead and give you a shout out from Lubbock Tx! Just wanted to mention keep up the great work!|

    Reply
  44. Pingback: Ebay Deals on Diamond Rings

  45. Pingback: IELTS

  46. Pingback: Wie bekommt man einen Führerschein? = (( samsmi...@gmail.com ))

  47. Pingback: Führerschein

  48. Pingback: Pass

  49. Pingback: Ebay Deals on Diamond Rings

  50. Pingback: Engagement Diamond Ring

Leave a Comment

Your email address will not be published. Required fields are marked *