[JAWSLite] Re: Fw: Blind computer users struck by a very unusualTrojan attack

Of course, this could be nothing more than damage control put out by Freedom
scientific themselves. The cracked version of Jaws may work perfectly well.
Just a thought to ponder.

Peter



-----Original Message-----
From: jawslite-bounce@xxxxxxxxxxxxx [mailto:jawslite-bounce@xxxxxxxxxxxxx]
On Behalf Of Jean Menzies
Sent: Tuesday, January 22, 2008 3:06 AM
To: Jaws Lite list
Subject: [JAWSLite] Fw: Blind computer users struck by a very unusualTrojan
attack

Since this crack program was flogged on this list, here is an article about
the devastation it caused Jaws users who fell for it.

Jean

----- Original Message -----
From: "Bob Marchand" <londonb@xxxxxxxxxx>
To: <eyeliner@xxxxxxxxxxxxxxxx>
Sent: Monday, January 21, 2008 4:25 PM
Subject: [Eyeliner] ***SPAM*** Blind computer users struck by a very
unusualTrojan attack


> Sent: Tuesday, 22 January 2008 5:54 AM
>
> Taken from: www.sophos.com/security/blog/2008/01/998.html
>
> Blind computer users struck by a very unusual Trojan attack
>
> While I was investigating reports of the Troj/Mbroot-A Master Boot 
> Record rootkit I decided to follow up on a suggestion seen on a 
> mailing list.
> It
> was suggested that an incident described on ZoneBBS forum may be 
> related to the MBR trojan I was initially looking for.
>
> The thread contains a number of posts submitted by several very 
> distressed forum members. According to their reports, they have been 
> unable to use their Windows computers since Boxing Day. The news 
> itself would not be very interesting if the forum members complaining 
> about these incidents were not blind.  Their computers were rendered 
> unusable because the software used to read the screen text and convert 
> it to speech suddenly stopped working.
> An
> interesting thing was that not all users were using the same screen 
> reader software.
>
> I was quite keen to help, but the users had already managed to 
> pinpoint the culprit. It was a fake crack for JAWS 9.0 screen reader 
> software, one of the most popular screen readers. Allegedly, the crack 
> did not just patch the JAWS executables to allow them to run without a 
> legitimate licence, but it also installed a Trojan targeting JAWS and 
> other popular screen readers.
>
> Thanks to Ryan Smith, a developer of accessible games who also created 
> a tool to help the users prevent the Trojan, I have managed to get the 
> offending file. When I run it through our automated analysis system I 
> could immediately see that the patch installs more than one would hope 
> for.
> Three
> additional files were installed, two executables - mci32.exe in 
> Windows and svchost.exe in the Windows\Config folder. Furthermore, 
> there was a DLL named securityService.dll in the System folder. 
> Suspicious registry activity triggered the detection in the HIPS 
> portion of Sophos Anti-Virus 7.
>
> The dropped DLL was also registered with Winlogon process so that the 
> malicious code was loaded early during the logon process.
>
> I started the disassembly with interest. It soon became clear that 
> this was a very unusual and well-executed attack targeting blind 
> people. The attention to detail and the programming style implies that 
> the attacker was skilled, possibly a professional programmer.
>
> As with some other advanced malware, the Trojan processes are 
> protected by each other. The securityService.dll is protecting 
> svchost.exe so it can not be terminated using standard tools such as 
> Task Manager and svchost shields mci32.exe from deletion. This is a 
> protection chain similar to the one seen in some earlier variants of 
> Troj/Zlob. Furthermore, the securityService.dll registered a handler 
> function which will get notified if the Registry key 
> "HKLM\SOFTWARE\Microsoft\Windows 
> NT\CurrentVersion\Winlogon\Notify\securityService" is changed and 
> restore its previous values.
>
> In other words, the removal of this beast is quite difficult, even if 
> the person cleaning up the system was not blind. The best thing would 
> be to reboot the system from a clean bootable media and remove all 
> offending files, but that may be out of the question since the 
> accessibility features in most Linux bootable CD distributions are not 
> very good. The next best thing is to install an anti-virus software 
> that can remove the Trojan.
> Sophos Anti-Virus 7 detects it as Troj/KillJWS-A and it can 
> successfully remove the Trojan.
>
> Next thing I wanted to check was the payload. If the discussion on 
> ZoneBBS was correct, the Trojan would prevent screen readers from 
> working on 26 December 2007. I started looking for the time comparison 
> and it did not take too long to find this code snippet:
> Disassembly Troj/KillJWS-A
>
> The payload trigger time is compared with the current system time 
> converted to the number of seconds expired since 1 January 1970. When 
> converted to system time, the long value used for comparison is 
> exactly 26 December
> 2007
> at 0:00 and the payload will be launched if the current system time is 
> later than the trigger time. The payload is relatively simple. The 
> payload function enumerates all processes and compares the names of 
> the running processes with a list of processes containing several well 
> known text-to-speech programs such as Jaws, Windows Eyes, Microsoft 
> Narrator, HAL Screen Reader and Kurzweil.
>
> Overall, this attack left me questioning the attacker's morality as it 
> is really difficult to imagine what would be the motivation for an 
> attack like this one. The attack does not seem to be financially 
> motivated, although one may think that the intention was to "punish" 
> people using illegal copies of JAWS software. All this makes me think 
> that long prison sentences for malware writers conducting attacks such 
> as this one are not harsh as I used to believe.
>
> Vanja Svajcer, SophosLabs, UK
>
> 

===================

Take your shshopping life back at http://tinyurl.com/32rsxz

View the list's information at
http://www.freelists.org/list/jawslite



===================

Take your shshopping life back at http://tinyurl.com/32rsxz

View the list's information at 
http://www.freelists.org/list/jawslite

Other related posts: