RE: Fwd: [Aebc] Virus/Trojan targets blind computer users
- From: Joseph Lee <joseph.lee22590@xxxxxxxxxxxx>
- To: jfw@xxxxxxxxxxxxx, jfw@xxxxxxxxxxxxx?
- Date: Tue, 22 Jan 2008 16:44:50 -0800
Hi Robert,
The email in question also came to Blind Geek
Zone and Blind Cool Tech lists as well.
Cheers,
Joseph
----- Original Message -----
From: RAWest <rawest@xxxxxxxxxxxxx
To: jfw@xxxxxxxxxxxxx
Date sent: Tue, 22 Jan 2008 14:26:31 -0500
Subject: RE: Fwd: [Aebc] Virus/Trojan targets
blind computer users
On December 3, 2007 there were email sent out
to members of the jaws lite
news group, and the jfw@xxxxxxxxxxxxx groups
Could have been other but these are 2 that I
know of.
This email provided a link to a jaws
authorization crack for versions 8 and
9.
Since FS does not email updates it should
have been treated with caution.
some on both lists went and installed it and
Ridiculed others for condemning
it's validity.
So I guess now the chicken has come home to
roost.
Always use the Jaws update tool to get
updates from FS
Robert
-----Original Message-----
From: jfw-bounce@xxxxxxxxxxxxx
[mailto:jfw-bounce@xxxxxxxxxxxxx] On Behalf
Of Peter
Sent: Tuesday, January 22, 2008 12:16 PM
To: jfw@xxxxxxxxxxxxx
Subject: Re: Fwd: [Aebc] Virus/Trojan targets
blind computer users
I don't remember this running wild on the
list. What was it, what was the
subject heading in case I've done anything to
get it on here.
Peter
---------------------------------------------
-----
From: "James Homuth" <james@xxxxxxxxxxx
Sent: Tuesday, January 22, 2008 4:33 PM
To: <jfw@xxxxxxxxxxxxx
Subject: Fwd: [Aebc] Virus/Trojan targets
blind computer users
Since this was running wild on the JFW list
a few weeks back, I
thought it worthwhile to share that yes,
there is a fix for it and
yes, it is being looked at by more than just
the blind/visually impaired
community.
James,
List Admin
X-Original-To: james@xxxxxxxxxxx
Delivered-To:
quanin@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-DH-Virus-Scanned: Debian amavisd-new at
gladiator.dreamhost.com
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999
required=1 tests=[none]
From: "Anthony Tibbs" <anthony-list@xxxxxxxx
To: <aebc@xxxxxxxxxxxxxxxxx>,
<lvottawa@xxxxxxxxxxxxxxx
Date: Tue, 22 Jan 2008 11:21:37 -0500
X-Mailer: Microsoft Outlook Express
6.00.2900.3138
X-Spam-Bar: -
X-Content-Filtered-By: Mailman/MimeDel
2.1.9.cp2
Subject: [Aebc] Virus/Trojan targets blind
computer users
X-BeenThere: aebc@xxxxxxxxxxxxxxxxx
X-Mailman-Version: 2.1.9.cp2
List-Id: AEBC sponsered mailing list
<aebc_blindcanadians.ca.blindcanadians.ca
List-Unsubscribe:
<http://blindcanadians.ca/mailman/listinfo/ae
bc_blindcanadians.ca>,
<mailto:aebc-request@xxxxxxxxxxxxxxxxx?subjec
t=unsubscribe
List-Archive:
<http://blindcanadians.ca/mailman/private/aeb
c_blindcanadians.ca
List-Post: <mailto:aebc@xxxxxxxxxxxxxxxxx
List-Help:
<mailto:aebc-request@xxxxxxxxxxxxxxxxx?subjec
t=help
List-Subscribe:
<http://blindcanadians.ca/mailman/listinfo/ae
bc_blindcanadians.ca>,
<mailto:aebc-request@xxxxxxxxxxxxxxxxx?subjec
t=subscribe
Sender: aebc-bounces@xxxxxxxxxxxxxxxxx
X-AntiAbuse: This header was added to track
abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname -
planet01.on1site.com
X-AntiAbuse: Original Domain - the-jdh.com
X-AntiAbuse: Originator/Caller UID/GID - [47
12] / [47 12]
X-AntiAbuse: Sender Address Domain -
blindcanadians.ca
X-Source:
X-Source-Args:
X-Source-Dir:
http://www.sophos.com:80/security/blog/2008/0
1/998.html
17 January 2008 16:29 GMT
Blind computer users struck by a very unusual
Trojan attack While I
was investigating reports of the
Troj/Mbroot-A Master Boot Record
rootkit I decided to follow up on a
suggestion seen on a mailing list.
It was suggested that an incident described
on ZoneBBS forum may be
related to the MBR trojan I was initially
looking for.
The thread contains a number of posts
submitted by several very
distressed forum members. According to their
reports, they have been
unable to use their Windows computers since
Boxing Day. The news
itself would not be very interesting if the
forum members complaining
about these incidents were not blind. Their
computers were rendered
unusable because the software used to read
the screen text and convert
it to speech suddenly stopped working. An
interesting thing was that
not all users were using the same screen
reader software.
I was quite keen to help, but the users had
already managed to
pinpoint the culprit. It was a fake crack
for JAWS 9.0 screen reader
software, one of the most popular screen
readers. Allegedly, the crack
did not just patch the JAWS executables to
allow them to run without a
legitimate licence, but it also installed a
Trojan targeting JAWS and
other popular screen readers.
Thanks to Ryan Smith, a developer of
accessible games who also created
a tool to help the users prevent the Trojan,
I have managed to get the
offending file. When I run it through our
automated analysis system I
could immediately see that the patch installs
more than one would hope
for. Three additional files were installed,
two executables -
mci32.exe in Windows and svchost.exe in the
Windows\Config folder.
Furthermore, there was a DLL named
securityService.dll in the System
folder. Suspicious registry activity
triggered the detection in the
HIPS portion of Sophos Anti-Virus 7.
The dropped DLL was also registered with
Winlogon process so that the
malicious code was loaded early during the
logon process.
I started the disassembly with interest. It
soon became clear that
this was a very unusual and well-executed
attack targeting blind
people. The attention to detail and the
programming style implies that
the attacker was skilled, possibly a
professional programmer.
As with some other advanced malware, the
Trojan processes are
protected by each other. The
securityService.dll is protecting
svchost.exe so it can not be terminated using
standard tools such as
Task Manager and svchost shields mci32.exe
from deletion. This is a
protection chain similar to the one seen in
some earlier variants of
Troj/Zlob. Furthermore, the
securityService.dll registered a handler
function which will get notified if the
Registry key
"HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\securitySer
vice" is changed and restore
its previous values.
In other words, the removal of this beast is
quite difficult, even if
the person cleaning up the system was not
blind. The best thing would
be to reboot the system from a clean bootable
media and remove all
offending files, but that may be out of the
question since the
accessibility features in most Linux bootable
CD distributions are not
very good. The next best thing is to install
an anti-virus software
that can remove the Trojan. Sophos
Anti-Virus 7 detects it as
Troj/KillJWS-A and it can successfully remove
the Trojan.
Next thing I wanted to check was the payload.
If the discussion on
ZoneBBS was correct, the Trojan would prevent
screen readers from
working on 26 December 2007. I started
looking for the time comparison
and it did not take too long to find this
code snippet:
The payload trigger time is compared with the
current system time
converted to the number of seconds expired
since 1 January 1970. When
converted to system time, the long value used
for comparison is
exactly 26 December 2007 at 0:00 and the
payload will be launched if
the current system time is later than the
trigger time. The payload is
relatively simple. The payload function
enumerates all processes and
compares the names of the running processes
with a list of processes
containing several well known text-to-speech
programs such as Jaws,
Windows Eyes, Microsoft Narrator, HAL Screen
Reader and Kurzweil.
Overall, this attack left me questioning the
attacker's morality as it
is really difficult to imagine what would be
the motivation for an
attack like this one. The attack does not
seem to be financially
motivated, although one may think that the
intention was to "punish"
people using illegal copies of JAWS software.
All this makes me think
that long prison sentences for malware
writers conducting attacks such
as this one are not harsh as I used to
believe.
Vanja Svajcer, SophosLabs, UK
To unsubscribe from the list, send an email
to:
aebc-unsubscribe@xxxxxxxxxxxxxxxxx
Leave the body and subject fields blank. You
will receive a message
back asking you to confirm this action.
Simply reply to the message
leaving the body and subject of the message
in tact.
This mailing list is sponsored by The
Alliance for Equality of Blind
Canadians For More Information Please call 1
800 561 4774 Or visit our
web site at www.BlindCanadians.ca
Disclaimer Neither the AEBC or this list
moderator will be held
responsible for material posted on this list.
''If you say it, then
you are responsible for it.''
Messages are posted as they were intended by
the author!
--
JFW related links:
JFW homepage:
http://www.freedomscientific.com/ Scripting
mailing
list:
http://lists.the-jdh.com/listinfo.cgi/scripto
graphy-the-jdh.com
JFW List instructions:
To post a message to the list, send it to
jfw@xxxxxxxxxxxxx To
unsubscribe from this mailing list, send a
message to
jfw-request@xxxxxxxxxxxxx with the word
unsubscribe in the subject line.
Archives located at:
//www.freelists.org/archives/jfw
If you have any concerns about the list,
post received from the list,
or the way the list is being run, do not
post them to the list. Rather
contact the list owner at
jfw-admins@xxxxxxxxxxxxxx
--
JFW related links:
JFW homepage:
http://www.freedomscientific.com/ Scripting
mailing list:
http://lists.the-jdh.com/listinfo.cgi/scripto
graphy-the-jdh.com
JFW List instructions:
To post a message to the list, send it to
jfw@xxxxxxxxxxxxx To unsubscribe
from this mailing list, send a message to
jfw-request@xxxxxxxxxxxxx with the
word unsubscribe in the subject line.
Archives located at:
//www.freelists.org/archives/jfw
If you have any concerns about the list, post
received from the list, or the
way the list is being run, do not post them
to the list. Rather contact the
list owner at jfw-admins@xxxxxxxxxxxxxx
--
JFW related links:
JFW homepage:
http://www.freedomscientific.com/
Scripting mailing list:
http://lists.the-jdh.com/listinfo.cgi/scripto
graphy-the-jdh.com
JFW List instructions:
To post a message to the list, send it to
jfw@xxxxxxxxxxxxx
To unsubscribe from this mailing list, send a
message to jfw-request@xxxxxxxxxxxxx with the
word unsubscribe in the subject line.
Archives located at:
//www.freelists.org/archives/jfw
If you have any concerns about the list, post
received from the list, or the way the list
is being run, do not post them to the list.
Rather contact the list owner at
jfw-admins@xxxxxxxxxxxxxx
--
JFW related links:
JFW homepage: http://www.freedomscientific.com/
Scripting mailing list:
http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.com
JFW List instructions:
To post a message to the list, send it to jfw@xxxxxxxxxxxxx
To unsubscribe from this mailing list, send a message to
jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.
Archives located at: //www.freelists.org/archives/jfw
If you have any concerns about the list, post received from the list, or the
way the list is being run, do not post them to the list. Rather contact the
list owner at jfw-admins@xxxxxxxxxxxxxx
Other related posts:
