Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 22nd, 2010

Lenovo Support Website Loads Malicious IFrame, Infects Visitors With Trojan

The support site of leading Chinese PC manufacturer Lenovo has been compromised by unknown attackers who injected a rogue IFrame into the pages over the weekend. Security researchers warn that unwary visitors looking for drivers are exposed to several exploits that install the Bredolab trojan onto their computers.

According to a report from Vietnamese antivirus vendor Bkis, the pages have been infected since at least Sunday afternoon. However, some users have been reporting getting antivirus warnings when visiting Lenovo’s download website since Saturday.

The IFrame points to an exploit kit hosted on a domain called After performing several checks to determine what vulnerable software they had installed on their computer, the visitors were served with exploits targeting older versions of Internet Explorer, Adobe Reader or Adobe Flash player.

“These exploit codes attempt to load file hxxp:// which is a virus, onto victim’s computer. The virus is a new variant of Bredolab Botnet […]. After being loaded onto the computers, the virus copies itself as %Programs%Startupmonskc32.exe and receives commands from C&C server with domain,” Le Minh Hung, senior security researcher at Bkis, writes.

At the moment, the malicious executable is detected by only ten of the 41 antivirus products listed on VirusTotal. The entire subdomain has been blacklisted by Google’s Safe Browsing service. This means that Firefox or Chrome users should see malware warnings when opening resources hosted on it.

“Of the 46 pages we tested on the site over the past 90 days, 39 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-06-20, and the last time suspicious content was found on this site was on 2010-06-20. Malicious software includes 1 trojan(s). Malicious software is hosted on 1 domain(s), including,” a detailed explanation of the Google warnings reads.

Even though the malicious .cn domain appears to be dead at the moment, it could return back online at any time. Therefore, users are advised to stay clear of the Lenovo support website for a couple of days, until the manufacturer has a chance to clean it up and plug the hole that allowed the compromise in the first place.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Software Package Supplied By Lenovo Contained Malware
  • Subdomain Compromised, Installing Malware On Visitors PC’s
  • Malicious Javascript Code In Another CNET Networks Website
  • Infect Your Own Website Visitors For Russian Cash
  • Infects Visitors With Trojan

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Lenovo Support Website Loads Malicious IFrame, Infects Visitors With Trojan

    One Response to “Lenovo Support Website Loads Malicious IFrame, Infects Visitors With Trojan”

    1. […] indicated that the affected pages have now been cleaned. Reports from Vietnamese antivirus vendor Bkis indicated that the pages have been infected since at least Sunday afternoon. Some users also […]

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.