1. /
  2. Security Response/
  3. Trojan.Pidief

Trojan.Pidief

Risk Level 2: Low

Discovered:
December 17, 2009
Updated:
May 8, 2014 2:28:58 PM
Type:
Trojan
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
CVE References:
CVE-2007-5020, CVE-2007-5659, CVE-2007-5663, CVE-2007-5666, CVE-2008-0655, CVE-2008-0667, CVE-2008-0726, CVE-2008-2042, CVE-2008-2992, CVE-2009-0658, CVE-2009-0927, CVE-2009-4324, CVE-2010-0188, CVE-2010-1297, CVE-2013-0640, CVE-2013-0641
Trojan.Pidief is a detection for a family of Trojans that exploit one or more Adobe Reader and Acrobat Vulnerabilities in order to drop or download additional malware on to the compromised computer.


Infection

Typically an attacker would entice a user to click on a malicious link or send a malicious PDF by email. Email has proven to be an efficient technique that has allowed this Trojan to reach large numbers of computers in a short space of time. The content of the spam emails constantly varies, so users should always be vigilant about any PDF documents that they receive by email.

The Trojan may also arrive on a computer as a result of websites that contain exploit packs. These websites contain functionality that may allow a remote attacker to identify which vulnerabilities exist on a certain computer. Once the vulnerability has been identified, the attacker can exploit it to perform further malicious activities on the compromised computer.

Malicious PDF files are often used in targeted attacks on individual or select groups within organizations. The aim of such attacks vary but may involve collection and theft of sensitive and proprietary information. In these attacks, the threats operate in a stealthy manner, trying to remain undetected for as long as possible in order to maximize the amount of information that can be stolen.


Functionality
The malicious PDF file typically contains an exploit. When the file is opened, the exploited code runs and then other files are dropped and executed. Alternatively, files may also be downloaded and installed. This threat family is known to be associated with dropping or downloading other threats such as Backdoor.Trojan and Infostealer.



GEOGRAPHICAL DISTRIBUTION

Symantec has observed the following geographic distribution of this threat.







PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.





SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures

Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


Intrusion Prevention System


Symantec Endpoint Protection – Application and Device Control
Symantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec Endpoint Protection to protect against the activities associated with this threat. ADC policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.

This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another. If you are experiencing an outbreak of this threat in your network, please download the policy.

To use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend using it in Test (log only) mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production mode to enable active protection.

For more information on ADC and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual (PDF).

Note: The ADC policies developed by Security Response are recommended for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.

Antivirus Protection Dates

  • Initial Rapid Release version December 17, 2009 revision 001
  • Latest Rapid Release version December 14, 2014 revision 019
  • Initial Daily Certified version December 17, 2009 revision 005
  • Latest Daily Certified version December 15, 2014 revision 002
  • Initial Weekly Certified release date December 23, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: 50 - 999
  • Number of Sites: 0 - 2
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Payload Trigger: Clicking on links in unsolicited emails.
  • Payload: Drops more malware on to the compromised computer.
    May open a back door on the compromised computer.
  • Releases Confidential Info: May steal information from the compromised computer.

Distribution

  • Distribution Level: Low
  • Subject of Email: Varies, depending on the spam email campaign.
Writeup By: Éamonn Young and Hon Lau

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver