In association with heise online

21 June 2010, 10:33

Malicious code on Lenovo driver download page - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Lenovo Logo The driver download portal of hardware manufacturer Lenovo temporarily deployed malicious code. Various virus scanners issued alerts about a Java-based Trojan downloader or dropper. The iframe injected by attackers points to the server and can still be found on several pages of the server.

However, the injected links to the Chinese server are now pointing to a non-existent target, so there is no longer an immediate threat. The Firefox and Chrome web browsers have also started to warn their users about accessing this server. Since Lenovo doesn't appear to have responded, the security hole may still be open, which would potentially allow attackers to deploy updated iframe links on the download pages at any time.

The injected dropper has been known at least since the end of May. Which malicious code it eventually retrieved remains unclear. The presence of the iframe was first mentioned (German language link) in the ThinkPad forum on Saturday afternoon. Those who have visited the Lenovo download portal in the past few days should run the latest virus signature updates to check their computers for potential intrusions.

Update: It now seems that the dropper was the Phoenix Kit and that once activated it downloaded the Bredolab trojan. Lenovo appears to have now removed the iframe from the affected web pages.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit