[JAWSLite] Re: Fw: Blind computer users struck by a very unusualTrojan attack

Hello-

It is clear that we are dealing with some one who is spiritually, morally
and mentally disordered.  Still, they are doing serious damage to people.
Do we know if FS, G.W. Micro or any others have turned this info over to the
FBI?  I understand that the Federal authorities have a special division for
tracking down these kinds of crimes.  If it has not been reported I will
forward the information to the FBI for an investigation.

If any one reading this knows of specific people who have been victims of
this Trojan and they are willing to talk to the Federal authorities, can
they please contact me or contact FS to see what they are doing.

Wayne

-----Original Message-----
From: jawslite-bounce@xxxxxxxxxxxxx [mailto:jawslite-bounce@xxxxxxxxxxxxx]
On Behalf Of Jean Menzies
Sent: Monday, January 21, 2008 9:06 PM
To: Jaws Lite list
Subject: [JAWSLite] Fw: Blind computer users struck by a very unusualTrojan
attack

Since this crack program was flogged on this list, here is an article about 
the devastation it caused Jaws users who fell for it.

Jean

----- Original Message ----- 
From: "Bob Marchand" <londonb@xxxxxxxxxx>
To: <eyeliner@xxxxxxxxxxxxxxxx>
Sent: Monday, January 21, 2008 4:25 PM
Subject: [Eyeliner] ***SPAM*** Blind computer users struck by a very 
unusualTrojan attack


> Sent: Tuesday, 22 January 2008 5:54 AM
>
> Taken from: www.sophos.com/security/blog/2008/01/998.html
>
> Blind computer users struck by a very unusual Trojan attack
>
> While I was investigating reports of the Troj/Mbroot-A Master Boot
> Record
> rootkit I decided to follow up on a suggestion seen on a mailing list.
> It
> was suggested that an incident described on ZoneBBS forum may be related
> to
> the MBR trojan I was initially looking for.
>
> The thread contains a number of posts submitted by several very
> distressed
> forum members. According to their reports, they have been unable to use
> their Windows computers since Boxing Day. The news itself would not be
> very
> interesting if the forum members complaining about these incidents were
> not
> blind.  Their computers were rendered unusable because the software used
> to
> read the screen text and convert it to speech suddenly stopped working.
> An
> interesting thing was that not all users were using the same screen
> reader
> software.
>
> I was quite keen to help, but the users had already managed to pinpoint
> the
> culprit. It was a fake crack for JAWS 9.0 screen reader software, one of
> the
> most popular screen readers. Allegedly, the crack did not just patch the
> JAWS executables to allow them to run without a legitimate licence, but
> it
> also installed a Trojan targeting JAWS and other popular screen readers.
>
> Thanks to Ryan Smith, a developer of accessible games who also created a
> tool to help the users prevent the Trojan, I have managed to get the
> offending file. When I run it through our automated analysis system I
> could
> immediately see that the patch installs more than one would hope for.
> Three
> additional files were installed, two executables - mci32.exe in Windows
> and
> svchost.exe in the Windows\Config folder. Furthermore, there was a DLL
> named
> securityService.dll in the System folder. Suspicious registry activity
> triggered the detection in the HIPS portion of Sophos Anti-Virus 7.
>
> The dropped DLL was also registered with Winlogon process so that the
> malicious code was loaded early during the logon process.
>
> I started the disassembly with interest. It soon became clear that this
> was
> a very unusual and well-executed attack targeting blind people. The
> attention to detail and the programming style implies that the attacker
> was
> skilled, possibly a professional programmer.
>
> As with some other advanced malware, the Trojan processes are protected
> by
> each other. The securityService.dll is protecting svchost.exe so it can
> not
> be terminated using standard tools such as Task Manager and svchost
> shields
> mci32.exe from deletion. This is a protection chain similar to the one
> seen
> in some earlier variants of Troj/Zlob. Furthermore, the
> securityService.dll
> registered a handler function which will get notified if the Registry
> key
> "HKLM\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify\securityService" is changed and
> restore
> its previous values.
>
> In other words, the removal of this beast is quite difficult, even if
> the
> person cleaning up the system was not blind. The best thing would be to
> reboot the system from a clean bootable media and remove all offending
> files, but that may be out of the question since the accessibility
> features
> in most Linux bootable CD distributions are not very good. The next best
> thing is to install an anti-virus software that can remove the Trojan.
> Sophos Anti-Virus 7 detects it as Troj/KillJWS-A and it can successfully
> remove the Trojan.
>
> Next thing I wanted to check was the payload. If the discussion on
> ZoneBBS
> was correct, the Trojan would prevent screen readers from working on 26
> December 2007. I started looking for the time comparison and it did not
> take
> too long to find this code snippet:
> Disassembly Troj/KillJWS-A
>
> The payload trigger time is compared with the current system time
> converted
> to the number of seconds expired since 1 January 1970. When converted to
> system time, the long value used for comparison is exactly 26 December
> 2007
> at 0:00 and the payload will be launched if the current system time is
> later
> than the trigger time. The payload is relatively simple. The payload
> function enumerates all processes and compares the names of the running
> processes with a list of processes containing several well known
> text-to-speech programs such as Jaws, Windows Eyes, Microsoft Narrator,
> HAL
> Screen Reader and Kurzweil.
>
> Overall, this attack left me questioning the attacker's morality as it
> is
> really difficult to imagine what would be the motivation for an attack
> like
> this one. The attack does not seem to be financially motivated, although
> one
> may think that the intention was to "punish" people using illegal copies
> of
> JAWS software. All this makes me think that long prison sentences for
> malware writers conducting attacks such as this one are not harsh as I
> used
> to believe.
>
> Vanja Svajcer, SophosLabs, UK
>
> 

===================

Take your shshopping life back at http://tinyurl.com/32rsxz

View the list's information at 
http://www.freelists.org/list/jawslite

===================

Take your shshopping life back at http://tinyurl.com/32rsxz

View the list's information at 
http://www.freelists.org/list/jawslite

Other related posts: