Let’s take a deeper look into the much talked-about malicious sites discussed here.

As an overview, the whole process starts with a user searching for a certain string in the Google search engine (e. g., “Christmas”). After the search engine returns several search results, the user visits one of the sites. The catch is on the result set where there are several malicious sites hosting a malicious script, which in turn can lead to the compromise of the user’s system.

In this case, the malicious script redirects to another web page using the “window.location={url}” function.

It’s somewhat simple. However, there is a little catch for us security researchers. We now look at the “if” statement where it relies on the “document.referrer” function. The code tells that in order for the “eval” function to be executed, the page where the user visited before arriving on the malicious Web page should be a page containing Google search results. Also, the search string used by the user must not have the “inurl:” and “site:” Google search functions. Thus, direct visit or access of the malicious site will not trigger the evil script and not redirect us to the site hosting the malicious binary file.

For security reseachers developing tools to automate the capture of the malicious files found on Web threats, this is something to consider. It is clear that this is a limitation for tools designed to directly access the malicious site aiming to capture the malicious files. The affected tools include honeyclients, Web crawlers, and downloaders.

Several modifications and enhancement to our tools should be applied in order to catch these kinds of Web threats.

The past couple of days seems to be riddled with attacks (direct or otherwise) against the now-becoming-more-popular Mac computers.

Strike 1: More Mac-based ZLOB malware
Ever since ZLOB first crossed over to Mac computers several weeks ago, Trend Micro researchers have been continuously monitoring fake video codec Web sites that host malicious DMG files, the latest being codecvip.com. Still, ZLOB’s motives remain the same: change DNS server settings for malicious purposes such as phishing and site redirection.

Strike 2: Spammers using iDisk
Dubbed as a “personal hard disk online”, iDisk is one of the online tools and services offered by Mac’s .Mac (read as dot-Mac — think Yahoo! and Google, which both offer Web site hosting services, online groups, etc.). Recently, Senior Threat Researcher Feike Hacquebord were able to dig up some 200+ spam URLs on 23 iDisk accounts (at idisk.mac.com).

Strike 3: Hacker defaces Mac fansites
News that several Mac fansites have been hacked and defaced because of “excessive Apple fanboism” were first reported by McAfee in their blog. However, the Register reports that some of the supposed hacked sites were actually “publicity stunts”. Real or not, the message of the defacement probably says it all:

This is a message to the rest of the Mac community, so listen up. Ever heard of hubris? Tone it down and you will not be attacked.

The question is, will it (Mac popularity, etc.) tone down? Probably not.

SANS Internet Storm Center reports that an exploit code that takes advantage of a buffer flow vulnerability in WinRAR archiving software is making rounds in the wild. The said exploit code affects WinRAR versions 3.50 and earlier.

Further analysis by TrendLabs researchers reveal that the said exploit (detected as TROJ_RDROPPER.A) arrives as a malicious .RAR file. Once the said file successfully exploits the WinRAR flaw, it proceeds to drop the file %User Temp%WINRAR.EXE, which is detected by Trend Micro as BKDR_DARKMOON.AH. The dropped backdoor, in turn, opens a random port and allows remote code execution by a malicious user.

This is not the first time a bug was discovered in earlier versions of WinRAR. As early as 2005, Threat Researchers Jonell Baltazar and Joey Costoya were able to procure of an exploit code that also takes advantage of a buffer overflow vulnerability. At that time, however, they concluded that the said exploit could not be used for malicious purposes.

Trend Micro strongly recommends WinRAR users that they upgrade to the latest version of the program (3.61) to avoid possible infection. Users of Trend Micro products are also advised to update their patterns.

Three new exploits posted in the Web takes advantage of a vulnerability in QuickTime Player v7.3 in the way it handles response from a video/audio streaming server via Real Time Streaming Protocol (RTSP). RTSP controls the delivery of audio and video data with real-time properties.

The exploits were designed to send a malformed RTSP response header that results to remote code execution on computers that uses QuickTime Player.

Sample of a normal RTSP response:

Sample of a malformed RTSP response:

Notice the Content-Type Field with has malformed type. Examples of valid values for this field are ‘Application’, ‘Text’, ‘Audio’, ‘Image’.

The following are the scenarios of how a machine can be attacked:

The attacker executes the exploit on his/her own computer, listening on port 554 (port 554 - default port for RTSP protocol). The attacker’s machine then tries to wait for RTSP request from its victim.

The attacker creates a Web site with the malicious RTSP link embedded (redirected to the exploit) or pops a message with the exact media link location of the exploit to the victim’s Messenger.

The victim is then enticed to visit the malicious link or view the media opens the link using QuickTime Player.

The exploit listening on port 554 is triggered to send a response with a malformed RTSP header.

Voila! The shell code is executed on the victim’s machine.

Another attack vector that can be used is through visiting a Web site that has embedded script/objects that directs RTSP connections to a malicious remote server.

As of this writing, there is still no patch that addresses this vulnerability. To prevent these kinds of attacks, visiting sites and/or opening links from unknown sources should be avoided. It is also better if connections through port 554 are blocked until a patch for this vulnerability becomes available.

TrendLabs recently received samples of a Trojan sent as an attachment to spammed mail bearing the subject Sexy Card from Hot Girl. The Trojan, detected by Trend Micro as TROJ_PUSHDO.AR is disguised as an animated e-card with nude photos of a certain Monica T. supposedly sent via Adult Sex Finder. Below is a sample of the said message :

When the attachment is opened, this Trojan executes and installs itself on the affected system, registering itself as a service to ensure automatic execution. It then connects to the URL http://66.{BLOCKED}.252.215/s_60_3232297080?m… to download a file detected by Trend Micro as TROJ_PANDEX.AR.

Its social engineering tactic is old news but what’s interesting is its use of the term Adult Sex Finder as the supposed company that put together the provocative e-card. “Adult Sex Finder” bears such close sounding recall to AdultFriendFinder- a Web site that claims to be the “world’s largest adult sex and swingers site”- that one can’t help but wonder if there is some kind of connection there. AdultFriendFinder has been related in malware attacks in the past.

Whether there is or there isn’t any connection, TROJ_PUSHDO.AR is out there in the wild finding propagation partners: users that are lured by its lurid bait. Don’t be that user. Trend Micro customers are encouraged to update to the latest pattern to be protected from this pesky spam attachment.