Shanghai Expo Spam Carries Backdoor

Trend Micro senior advanced threats researcher Paul Ferguson received a spam claiming to be from the Bureau of the Shanghai World Expo, which is coordinating “Expo 2010,” from a technology news group journalist who actually received it.

The spammed message contains a malicious attachment detected by Trend Micro as TROJ_PIDIEF.ACV. This malicious .PDF file exploits a known flaw in Adobe Acrobat and Reader, which was fixed in an out-of-cycle patch in the middle of February. Attacks using this vulnerability were also seen earlier this month.
However, the method that was used to exploit this vulnerability differed from that used earlier this year. According to Trend Micro researcher Rajiv Motwani, these .PDF files have an embedded malicious .TIFF file. TIFF, short for Tag Image File Format, is a popular image format used to store high-quality images.
This embedded .TIFF file, when processed by vulnerable Adobe products, triggers the vulnerability and the execution of arbitrary code. In this particular case, a backdoor detected by Trend Micro as BKDR_RIPINIP.I is dropped onto and executed on the affected system.
Further analysis of this threat is ongoing so updates to this post are likely.  In the meantime, users should demonstrate increased vigilance when opening email messages and attachments from unexpected sources.
Trend Micro™ Smart Protection Network™ protects users from these kinds of (continue reading...)