TrendLabs examines the recent compromise of a Lenovo support page which resulted in visitors unknowingly downloading the BREDOLAB trojan.

1. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 67
JULY 5, 2010
PC Maker’s Support Page Succumbs to Compromise
Although they may not be quite as high profile as they were a few years ago, cybercriminals are still compromising legitimate, high-traffic sites to
facilitate more targeted Web attacks. The latest victim to fall prey to this type of attack is Chinese PC manufacturer, Lenovo, when a malicious
iframe code that led to the download of a BREDOLAB variant was embedded into its support page.
The Threat Defined
Compromising websites is one of the most
effective tactics cybercriminals use to capture
more victims. This allows them to
conveniently distribute malware without
requiring user action to load malicious codes.
It is also a silent means by which threats are
delivered that does not require social
engineering to trick users into downloading
malicious content. All it relies on is the
popularity of the websites it targets, which
usually have large numbers of trusting users
that are potential infection victims.
Unlike most compromises that target a wide
range of websites, this latest compromise
used a more focused approach, targeting only
a specific but very popular website. It targeted
Lenovo’s website and, in effect, its customers
who were looking to download relevant
software for their systems.
Lenovo is one of the most popular brands of
computing devices, ranking as the fourth
largest PC vendor worldwide. It is also well-
represented in the corporate market because
its ThinkPad products are commonly used in
offices. It is also the biggest seller in China, Figure 1. Lenovo support page compromise infection diagram
which accounts for the largest proportion of
the Internet population globally. Needless to say, these factors make Lenovo a very appealing target for a website
compromise. In this particular attack, cybercriminals injected a malicious iframe code into the Lenovo site’s support
page, from which customers usually go to download driver updates and manuals. Users who then visited this page
instead downloaded TROJ_BREDOLAB.BY onto their computers.
TROJ_BREDOLAB.BY drops a copy of itself as well as other nonmalicious files onto the affected system. It makes
sure that it remains resident on the computer’s memory by injecting itself into the SVCHOST.EXE process. This
routine makes it more difficult to terminate and remove this Trojan from an affected system.
Once it executes, it connects to a website, which possibly hosts a number of other malicious programs that can be
downloaded onto an affected system. When users visit the compromised page, they become susceptible to further
malware attacks.
The infection was limited to only the download.lenovo.com domain while the general lenovo.com domain remained
unaffected. Users who accessed the site with Firefox and Chrome browsers were able to see malware warnings
when opening the resources hosted on the support page. This indicates that the affected pages were indeed
infected and blocked by Google’s Safe Browsing service.
Users used to be quite safe while surfing the Web as long as they stayed away from sites that
were notorious for hosting malware such as adult and warez sites. However, the inception of
website compromises changed the whole threat landscape in a sense that not even legitimate
1 of 2 – WEB THREAT SPOTLIGHT

2. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
sites can be trusted anymore. In the past, website compromises resulted in thousands of sites being hacked on a
daily basis. This may not be the case today but site compromises can certainly occur anytime to anyone. Clearly it
is important for users to protect their systems from Web threats that may result from hacking. It is also the
responsibility of anyone with a website to make sure that his/her site stays secure and free from exploits.
User Risks and Exposure
BREDOLAB is a simple downloading platform that gained popularity in 2009 for facilitating the distribution of other
prominent malware families. Behind this simple program, however, is a bigger network of underground activities. It
has been affiliated with other malware families, particularly ZeuS and FAKEAV variants, in order to gain profit. Thus,
systems that have been affected by this downloader may become hosts to other malware attacks in an attempt to
build botnets or may be used in pay-per-install (PPI) scams related to rogue antivirus applications.
Any company that owns a compromised website is at risk of losing its customers’ trust. In Lenovo’s case, the page
remained infected over the weekend, giving cybercriminals ample time to infect many users. Some users raised
their concerns on the company’s official forum, commenting that nobody could be reached since the downloader
had been found and that Lenovo should be prudent enough to shut down the site until the issue has been resolved.
Although the company acknowledged the incident and admitted that there was ample room for improvement,
damage has already been done to the company’s reputation.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional
approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network combines unique
in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and
automatically protect your information wherever you connect.
In this attack, Smart Protection Network’s Web reputation technology prevented access to malicious URLs that may
have hosted copies of TROJ_BREDOLAB.BY and other malicious URLs that this BEDOLAB variant connected to.
File Reputation technology detected and consequently removed the malicious file detected as
TROJ_BREDOLAB.BY and other malware that it may have subsequently download.
Trend Micro Titanium Internet Security provides automatic protection against viruses and spyware for netbook users.
It is a lightweight solution that runs in the background to give users the protection they need while browsing the
Internet without slowing down their netbooks. Trend Micro Internet Security also protects desktop and laptop users.
Users are also encouraged to adhere to the following best practices when browsing the Internet:
• Because traditional antivirus software does not block legitimate sites even when compromised, users are
advised to use security suites that utilize Web Reputation technology to block access to malicious sites.
• Website administrators should regularly scan their sites to ensure that these do not inadvertently host any
malware.
• Users should keep their guards up when surfing the Web. Always hover over a link to see if it looks
legitimate or not. If the URL looks obscure, it could be a redirect. It is always safer to err on the side of
caution.
• Users can run a malware scan as well using free tools like HouseCall to confirm if their systems have been
infected.
The following post at the TrendLabs Malware Blog discusses this threat:
http://blog.trendmicro.com/lenovo-support-page-compromise-leads-to-bredolab/
The virus reports are found here:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BREDOLAB.BY
Other related posts are found here:
http://en.wikipedia.org/wiki/Market_share_of_leading_PC_vendors
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/bredolab_final.pdf
http://forums.lenovo.com/t5/General-Discussion/Warning-Lenovo-download-site-is-infected-by-trojan-downloader/td-
p/241901
http://lenovoblogs.com/connections/?p=1492
2 of 2 – WEB THREAT SPOTLIGHT