…were the first words that came to mind upon knowing the billing method used by the adult Web site www.sexxxpassport.com and Micro Bill Systems (MBS), a payment and debt management service provider, to bill their subscribers. To say the least, this is social engineering on a completely new playing field.

TrendLabs has received a sample of the file named MBSAUTHENTICATE_39.EXE-1, which is served from the said adult site’s default page, and detected it as TROJ_AGENT.PYC. Users visiting the site are required to download and install this file on their systems to avail of the free 3-day site access. From the default page, users can also find a link to the site’s Terms & Conditions, though they are not required to view the page before proceeding with the download. Users will most likely skip the page — this assessment may have already been thought out by the site owners, too — only to find out that they have fallen prey to extortion.

Users may be apt to complain, but the site owners and MBS have made it clear (though alarming) the methods that they’d be doing, possibly to shift the blame back to the unknowing users themselves. Upon further study of the site’s terms and conditions, Section 12.5 is found to be notable:

12.5 If You choose to ignore the payment reminders and do not pay the Membership Fee, You hereby understand and acknowledge that the prompt reminders may become more frequent and that You may lose the ability to use Your computer until You have submitted payment. The payment reminders will be active while your computer is online or offline.

Inadvertently ‘affirming’ to this term allowed the site owners to disable the user’s system by inducing subsequent pop-ups of billing reminders that can powerfully obscure view of all items (opened windows, running applications, icons, etc.) on the user’s desktop, making the system virtually unusable even for a short time.

Trend Micro advises users to refrain from downloading and executing files from sites that may seem legitimate.

Going Dutch is easy on the pocket when eating out but it may also be another way to line someone else’s pockets– spammers’ pockets. Spam has gone Dutch as inboxes this November have seen a sudden influx of Dutch spam:

Trend Micro researcher Feike Hacquebord notes that even though the messages tell of a bogus nuclear power plant accident in Amsterdam (there is no nuclear power plant in Amsterdam, by the way), the grammar and spelling are fairly good- an unusual occurence in the spam business.

If one’s interest is tickled enough to visit the given links, s/he is directed to a page claiming to contain the photos of the accident. However, in order to view the photos, a plug-in must be installed. Notice that both of the messages have pages hosted at Geocities.com. Hacquebord has further dicovered that clicking the link eventually leads to the download of a iPIX-install.exe. Downloading the EXE, of course, downloads a malware to your computer. Trend Micro detects this malware as TSPY_BANCOS.EFZ. This Trojan spyware reports back information to a Turkish IP address, suspected of being part of the Storm network.

Spammers may have gone Dutch to prey on a less suspecting Internet populace, who are already wary of the usual English spam and its associated links. The move to another language may also be a sign that spammers are extending their reach to other locales, or are merely testing the waters for new avenues of spam delivery.

Either way, spam by any other language is still spam.

Let’s take a deeper look into the much talked-about malicious sites discussed here.

As an overview, the whole process starts with a user searching for a certain string in the Google search engine (e. g., “Christmas”). After the search engine returns several search results, the user visits one of the sites. The catch is on the result set where there are several malicious sites hosting a malicious script, which in turn can lead to the compromise of the user’s system.

In this case, the malicious script redirects to another web page using the “window.location={url}” function.

It’s somewhat simple. However, there is a little catch for us security researchers. We now look at the “if” statement where it relies on the “document.referrer” function. The code tells that in order for the “eval” function to be executed, the page where the user visited before arriving on the malicious Web page should be a page containing Google search results. Also, the search string used by the user must not have the “inurl:” and “site:” Google search functions. Thus, direct visit or access of the malicious site will not trigger the evil script and not redirect us to the site hosting the malicious binary file.

For security reseachers developing tools to automate the capture of the malicious files found on Web threats, this is something to consider. It is clear that this is a limitation for tools designed to directly access the malicious site aiming to capture the malicious files. The affected tools include honeyclients, Web crawlers, and downloaders.

Several modifications and enhancement to our tools should be applied in order to catch these kinds of Web threats.

The past couple of days seems to be riddled with attacks (direct or otherwise) against the now-becoming-more-popular Mac computers.

Strike 1: More Mac-based ZLOB malware
Ever since ZLOB first crossed over to Mac computers several weeks ago, Trend Micro researchers have been continuously monitoring fake video codec Web sites that host malicious DMG files, the latest being codecvip.com. Still, ZLOB’s motives remain the same: change DNS server settings for malicious purposes such as phishing and site redirection.

Strike 2: Spammers using iDisk
Dubbed as a “personal hard disk online”, iDisk is one of the online tools and services offered by Mac’s .Mac (read as dot-Mac — think Yahoo! and Google, which both offer Web site hosting services, online groups, etc.). Recently, Senior Threat Researcher Feike Hacquebord were able to dig up some 200+ spam URLs on 23 iDisk accounts (at idisk.mac.com).

Strike 3: Hacker defaces Mac fansites
News that several Mac fansites have been hacked and defaced because of “excessive Apple fanboism” were first reported by McAfee in their blog. However, the Register reports that some of the supposed hacked sites were actually “publicity stunts”. Real or not, the message of the defacement probably says it all:

This is a message to the rest of the Mac community, so listen up. Ever heard of hubris? Tone it down and you will not be attacked.

The question is, will it (Mac popularity, etc.) tone down? Probably not.

SANS Internet Storm Center reports that an exploit code that takes advantage of a buffer flow vulnerability in WinRAR archiving software is making rounds in the wild. The said exploit code affects WinRAR versions 3.50 and earlier.

Further analysis by TrendLabs researchers reveal that the said exploit (detected as TROJ_RDROPPER.A) arrives as a malicious .RAR file. Once the said file successfully exploits the WinRAR flaw, it proceeds to drop the file %User Temp%WINRAR.EXE, which is detected by Trend Micro as BKDR_DARKMOON.AH. The dropped backdoor, in turn, opens a random port and allows remote code execution by a malicious user.

This is not the first time a bug was discovered in earlier versions of WinRAR. As early as 2005, Threat Researchers Jonell Baltazar and Joey Costoya were able to procure of an exploit code that also takes advantage of a buffer overflow vulnerability. At that time, however, they concluded that the said exploit could not be used for malicious purposes.

Trend Micro strongly recommends WinRAR users that they upgrade to the latest version of the program (3.61) to avoid possible infection. Users of Trend Micro products are also advised to update their patterns.