This is the alert box strip of the page. This layer will always hover
at this same spot even if you were to scroll down the page. You can close the layer by clicking
the X on the top right of this layer. Also you can adjust where this layer will hover by
modifying the script.
How does this threat get into users' systems?
This threat arrives as a spammed message purportedly from the Bureau of the Shanghai World Expo. It contains a PDF attachment asking users to fill it out. A screenshot of the said email can be found below:
How does this threat infect users?
The attachment is a malware detected as TROJ_PIDIEF.ACV, which exploits a vulnerability in certain versions of Adobe Reader and Acrobat. Once exploited, it drops a backdoor detected as BKDR_RIPINIP.I.What is the driving force behind this threat?
The backdoor performs several malicious routines, including receiving commands from a remote user and stealing information such as an affected system's OS version, CPU information, computer name, and IP address.
What is different in this attack?
While the same vulnerability has been exploited in other attacks earlier this year, the method used to exploit the said vulnerability differed in that the specially crafted PDFs have a malicious TIFF file embedded, which if processed by Adobe products, triggers the vulnerability and executes arbitrary code.
Also, these attacks seem to be relying on the recipients’ interest or participation in the Shanghai World Expo named Expo 2010, which expects to draw a crowd of up to 70 million visitors, the largest in the history of these types of events, according to Wikipedia.
How can users protect themselves from this attack?
This attack has several components. A multilayered defense is necessary to ensure that the malicious spam, the PDF exploit, the backdoor, and the backdoor’s outbound communication are blocked or detected.
Trend Micro Smart Protection Network detects the spam message and all the files related to this attack, and blocks the associated domain server where the backdoor connects to send its stolen information. Trend Micro Deep Security™ can also help shield users from the vulnerability related to this attack. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the IDF10-014 release.
| Detection Name | Damage Potential | Pattern File |
| TROJ_PIDIEF.ACV | High | 6.685.00 |
| BKDR_RIPINIP.I | High | 6.951.00 |
| URL | Blocking Date |
| {BLOCKED}ronaws.com/m/index.php |
Mar. 15, 2010 |
| http://{BLOCKED}ronaws.com/m/d.php?e=CollabPDF& |
Mar. 15, 2010 |
