[JAWSLite] Re: Fw: Blind computer users struck by a very unusualTrojan attack

Thanks for this Jean!

Nicky Davies.
----- Original Message ----- From: "Jean Menzies" <jemenzies@xxxxxxx> 
To: "Jaws Lite list" <jawslite@xxxxxxxxxxxxx>
Sent: Tuesday, January 22, 2008 3:05 AM
Subject: [JAWSLite] Fw: Blind computer users struck by a very unusualTrojan attack
Since this crack program was flogged on this list, here is an article about the devastation it caused Jaws users who fell for it. 

Jean
----- Original Message ----- From: "Bob Marchand" <londonb@xxxxxxxxxx> 
To: <eyeliner@xxxxxxxxxxxxxxxx>
Sent: Monday, January 21, 2008 4:25 PM
Subject: [Eyeliner] ***SPAM*** Blind computer users struck by a very unusualTrojan attack 



Sent: Tuesday, 22 January 2008 5:54 AM

Taken from: www.sophos.com/security/blog/2008/01/998.html

Blind computer users struck by a very unusual Trojan attack

While I was investigating reports of the Troj/Mbroot-A Master Boot
Record
rootkit I decided to follow up on a suggestion seen on a mailing list.
It
was suggested that an incident described on ZoneBBS forum may be related
to
the MBR trojan I was initially looking for.

The thread contains a number of posts submitted by several very
distressed
forum members. According to their reports, they have been unable to use
their Windows computers since Boxing Day. The news itself would not be
very
interesting if the forum members complaining about these incidents were
not
blind.  Their computers were rendered unusable because the software used
to
read the screen text and convert it to speech suddenly stopped working.
An
interesting thing was that not all users were using the same screen
reader
software.

I was quite keen to help, but the users had already managed to pinpoint
the
culprit. It was a fake crack for JAWS 9.0 screen reader software, one of
the
most popular screen readers. Allegedly, the crack did not just patch the
JAWS executables to allow them to run without a legitimate licence, but
it
also installed a Trojan targeting JAWS and other popular screen readers.

Thanks to Ryan Smith, a developer of accessible games who also created a
tool to help the users prevent the Trojan, I have managed to get the
offending file. When I run it through our automated analysis system I
could
immediately see that the patch installs more than one would hope for.
Three
additional files were installed, two executables - mci32.exe in Windows
and
svchost.exe in the Windows\Config folder. Furthermore, there was a DLL
named
securityService.dll in the System folder. Suspicious registry activity
triggered the detection in the HIPS portion of Sophos Anti-Virus 7.

The dropped DLL was also registered with Winlogon process so that the
malicious code was loaded early during the logon process.

I started the disassembly with interest. It soon became clear that this
was
a very unusual and well-executed attack targeting blind people. The
attention to detail and the programming style implies that the attacker
was
skilled, possibly a professional programmer.

As with some other advanced malware, the Trojan processes are protected
by
each other. The securityService.dll is protecting svchost.exe so it can
not
be terminated using standard tools such as Task Manager and svchost
shields
mci32.exe from deletion. This is a protection chain similar to the one
seen
in some earlier variants of Troj/Zlob. Furthermore, the
securityService.dll
registered a handler function which will get notified if the Registry
key
"HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\securityService" is changed and
restore
its previous values.

In other words, the removal of this beast is quite difficult, even if
the
person cleaning up the system was not blind. The best thing would be to
reboot the system from a clean bootable media and remove all offending
files, but that may be out of the question since the accessibility
features
in most Linux bootable CD distributions are not very good. The next best
thing is to install an anti-virus software that can remove the Trojan.
Sophos Anti-Virus 7 detects it as Troj/KillJWS-A and it can successfully
remove the Trojan.

Next thing I wanted to check was the payload. If the discussion on
ZoneBBS
was correct, the Trojan would prevent screen readers from working on 26
December 2007. I started looking for the time comparison and it did not
take
too long to find this code snippet:
Disassembly Troj/KillJWS-A

The payload trigger time is compared with the current system time
converted
to the number of seconds expired since 1 January 1970. When converted to
system time, the long value used for comparison is exactly 26 December
2007
at 0:00 and the payload will be launched if the current system time is
later
than the trigger time. The payload is relatively simple. The payload
function enumerates all processes and compares the names of the running
processes with a list of processes containing several well known
text-to-speech programs such as Jaws, Windows Eyes, Microsoft Narrator,
HAL
Screen Reader and Kurzweil.

Overall, this attack left me questioning the attacker's morality as it
is
really difficult to imagine what would be the motivation for an attack
like
this one. The attack does not seem to be financially motivated, although
one
may think that the intention was to "punish" people using illegal copies
of
JAWS software. All this makes me think that long prison sentences for
malware writers conducting attacks such as this one are not harsh as I
used
to believe.

Vanja Svajcer, SophosLabs, UK




===================

Take your shshopping life back at http://tinyurl.com/32rsxz

View the list's information at http://www.freelists.org/list/jawslite



--
No virus found in this incoming message.
Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.8/1236 - Release Date: 21/01/2008 20:23 




===================

Take your shshopping life back at http://tinyurl.com/32rsxz
View the list's information at http://www.freelists.org/list/jawslite

Other related posts: