Method of Infection
PDF/Pidief variants typically arrive as an attachment to, or URL link in the body of, a spammed email. The trojan employs social engineering techniques to entice users into downloading and executing the file. Once run, Pidief attempts to perform a buffer overflow attack on vulnerable versions of Adobe Reader by exploiting the CVE-2007-5659 and CVE2008-0655 vulnerabilities. Thereafter it executes the embedded shellcode which contains its payload.
The trojan usually arrives in a compressed format, making it difficult for users to inspect the strings. Within the exploited PDF is an object containing the malicious stream data, which itself contains the JavaScript program.
When executed, the malware first runs the maliciously crafted copy and immediately closes it. It then reopens a clean copy of the file which it dropped in the %Temp% directory.
Note: %Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is "C:\Documents and Settings\<username>\Local Settings\Temp", or "C:\WINDOWS\TEMP".
Back to top
Payload
Steals Sensitive Information
PDF/Pidief variants gather sensitive information about the affected system such as:
- Computer name
- Processor speed
- IP address
- Operating system
It sends the collected information to a remote IP address.
Downloads Additional Malware
PDF/Pidief variants may attempt to remotely connect to any of the following locations, to download and install additional malware:
207.46.18.94
203.220.22.177
203.81.177.121
fas.ns01.info
Back to top
For additional information:
PDF/Pidief variants may cause Adobe Reader to unexpectedly hang, crash or display empty data, or PDF files to unexpectedly close and reopen.
Analysis by Methusela Ferrer
Back to top