17 Dec 2007

Trojan Exploiting PDF Vulnerability

Original issue date:30 October 2007

It has been observed that a Malware Trojan named Pidief is circulating widely exploiting Remote code Execution vulnerability in Adobe Acrobat PDF File described in CIVN-2007-128 .

The Trojan comes as a PDF attachment in spammed e-mails with subject lines enticing innocent users into opening the malicious file and executing the malware on their systems.

Aliases : : EXPL_PIDIEF.B [FrSirt], Trojan.Pidief.A [Symantec], EXPL_PIDIEF.B [Trend Micro], Exploit.Win32.AdobeReader.b [Kaspersky]

The e-mail contains the following :

Subject : (any of the following)

  • Your credit report
  • Your credit points
  • Your balance report
  • Personal Financial Statement
  • Personal Credit Points

Attachments: (any of the following)

  • report.pdf
  • debt.2007.pdf
  • overdraft.2007.10.26.pdf


Upon execution, the Trojan :

  • disables Windows firewall by issuing the following command:
    netsh firewall set opmode mode=DISABLE
  • downloads malicious files from different location.
  • the above said downloaded threat is saved to the following locations
    %CurrentFolder%\

In view of rapid propagation of the PDF Malware, users are advised to implement the following countermeasures:

  • Disable the "mailto:" option in Acrobat, Acrobat 3D 8 and Adobe Reader in the Windows registry
  • Apply appropriate patches on vulnerable Adobe Systems as mentioned in Cert-In Vulnerability Note CIVN-2007-128.
  • Delete emails with the above mentioned Subject lines and attachments.
  • Avoid opening of PDF files through the web browser. Instead save the file to disk before opening.
  • Install and maintain a updated anti-virus software at gateway and desktop level.
  • Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities.

References

http://www.symantec.com/business/security_response/writeup.jsp
?docid=2007-102310-3513-99&tabid=1

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k
=139103

http://www.f-secure.com/weblog/archives/00001303.html

Disclaimer :

The information provided herein is on "as is" basis, without warranty of any kind.

Disqus

comments powered by Disqus