Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Wake up India, It’s Time to Vote!

Created: 24 Apr 2009 20:49:59 GMT • Updated: 23 Jan 2014 18:35:40 GMT
Karthik Selvaraj's picture
0 0 Votes
Login to vote

Once again, the Indian election looms and while it is an exciting time to vote, malware authors are looking to exploit voters’ hope and enthusiasm for their country’s political future. Any popular websites with a large user base will inevitably become a target that attackers will use to host or push their threats onto unsuspecting users’ computers. This time, the voting website Jaago re! is the attacker’s choice.

Jaago re! is an Indian online non-profit portal that provides several voter services, including voter registration, voter list searching, election information, and assembly constituency searching. It’s easy to see why this site has a large enough user base to make it a target for attackers. 

Unfortunately, Jaago re! has not only become a target for attackers, but has also become a victim. We discovered that this site was compromised and its pages were contaminated with malicious JavaScript. However, at the time of this writing the website has been cleaned up and is no longer serving the malicious JavaScript.

The malicious JavaScript file that was uploaded to the site was the first link in a chain of JavaScript files that eventually led to a malicious PDF file. This file attempted to exploit vulnerable PDF readers. The payload of the malicious PDF then attempted to download malware to the compromised computer.

The screenshot below shows an excerpt from the initial script used by the attackers:

 

 

 

 

The Malicious PDF file attempted to exploit known Adobe Reader vulnerabilities: CVE-2007-5659 and CVE-2008-2992. (Patches for these vulnerabilities are available from Adobe.) The following screenshot shows an excerpt of the malicious JavaScript used to exploit the vulnerabilities.

 

 

 

 

 

 

 

Symantec detects the malicious JavaScript files used in this attack as JS.Downloader. The malicious PDF file and downloaded executable are detected as Trojan.Pidief.D and Trojan Horse, respectively. Symantec customers are protected against this latest attack as long as they keep their antivirus definitions up to date. It’s also a good idea to make sure you keep your patch levels are also up to date, because the final stage of the payload will not work against fully-patched versions of Abode Reader.