Shanghai Expo Spam Carries Backdoor

Written by: Bernadette Caraig

How does this threat get into users' systems?

This threat arrives as a spammed message purportedly from the Bureau of the Shanghai World Expo. It contains a .PDF file attachment asking users to fill it out.



How does this threat infect users?

The attachment is a malware detected as TROJ_PIDIEF.ACV, which exploits a vulnerability in certain versions of Adobe Reader and Acrobat. Once exploited, it drops a backdoor detected as BKDR_RIPINIP.I.

What is the driving force behind this threat?


The backdoor performs several malicious routines, including receiving commands from a remote user and stealing information such as an affected system's OS version, CPU information, computer name, and IP address.

What is different in this attack?

While the same vulnerability has been exploited in other attacks earlier this year, the method used to exploit the said vulnerability differed in that the specially crafted .PDF files have a malicious .TIFF file embedded, which if processed by Adobe products, triggers the vulnerability and executes arbitrary code.


Also, these attacks seem to be relying on the recipients’ interest or participation in the Shanghai World Expo named "Expo 2010," which expects to draw a crowd of up to 70 million visitors, the largest in the history of these types of events, according to
Wikipedia.

How can users protect themselves from this attack?


This attack has several components. Multilayered defense is necessary to ensure that the malicious spam, the PDF exploit, the backdoor, and the backdoor’s outbound communication are blocked or detected.


Trend Micro Smart Protection Network
detects the spammed message and all the files related to this attack and blocks the associated domain server where the backdoor connects to send stolen information. Trend Micro Deep Security™ can also help shield users from the vulnerability related to this attack. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the IDF10-014 release.