[access-uk] Re: Fw: mp3req informational: trojan horse warning
- From: "Graham Page" <gpage@xxxxxxxxxxxxxx>
- To: <access-uk@xxxxxxxxxxxxx>
- Date: Sun, 27 Jan 2008 22:07:44 -0000
Hi Mandy.
It depends whether you are using a cracked copy or not. if you are then I
confirm that I have come across users with similar problems but with a cracked
version of JAWS version 8.
no I am not going to say who. they've had enough of a headache with this one
but it does go to show that using cracked software is a risky business.
What is worrying about this is that virus scanners such as Nod, Mcafee and
AVG all failed to have stopped this dodgy version of JAWS running . The
version I saw in action was a cracked version of JAWS 8 which kicked in
straight away and only seems to have affected Windows XP Pro machines but the
other symptoms look pretty similar.
In summary then of course using cracked software is illegal, that is pretty
much self-evident but as these problems demonstrate it can be dangerous. After
all, you don't know who wrote the crack in the first place and why.
Cheers
Graham
Graham Page
Home Phone: 0207 265 9493
Mobile: 07753 607980
Fax: 0870 706 2773
Email: gpage@xxxxxxxxxxxxxx
MSN: gabriel_mcbird@xxxxxxxxxxx
Skype: gabriel_mcbird
----- Original Message -----
From: Mandy
To: access-uk@xxxxxxxxxxxxx
Sent: Friday, January 25, 2008 12:13 PM
Subject: [access-uk] Fw: mp3req informational: trojan horse warning
Brian received this email and I'm forwarding it for opinion on what it
means, is it something us Jaws 9 users need worry about?
Mandy.
----- Original Message -----
From: Brian
To: Mandy
Sent: Friday, January 25, 2008 10:34 AM
Subject: Fw: mp3req informational: trojan horse warning
----- Original Message -----
From: Doc
To: Undisclosed-Recipient:;
Sent: Friday, January 25, 2008 5:40 AM
Subject: mp3req informational: trojan horse warning
Blind computer users struck by a very unusual Trojan attack
While I was investigating reports of the Troj/Mbroot-A Master Boot Record
rootkit I decided to follow up on a suggestion seen on a mailing list. It was
suggested that an incident described on ZoneBBS forum may be related to the MBR
trojan I was initially looking for.
The thread contains a number of posts submitted by several very distressed
forum members. According to their reports, they have been unable to use their
Windows computers since Boxing Day. The news itself would not be very
interesting if the forum members complaining about these incidents were not
blind. Their computers were rendered unusable because the software used to read
the screen text and convert it to speech suddenly stopped working. An
interesting thing was that not all users were using the same screen reader
software.
I was quite keen to help, but the users had already managed to pinpoint the
culprit. It was a fake crack for JAWS 9.0 screen reader software, one of the
most popular screen readers. Allegedly, the crack did not just patch the JAWS
executables to allow them to run without a legitimate licence, but it also
installed a Trojan targeting JAWS and other popular screen readers.
Thanks to Ryan Smith, a developer of accessible games who also created a tool
to help the users prevent the Trojan, I have managed to get the offending file.
When I run it through our automated analysis system I could immediately see
that the patch installs more than one would hope for. Three additional files
were installed, two executables - mci32.exe in Windows and svchost.exe in the
Windows\Config folder. Furthermore, there was a DLL named securityService.dll
in the System folder. Suspicious registry activity triggered the detection in
the HIPS portion of Sophos Anti-Virus 7.
The dropped DLL was also registered with Winlogon process so that the
malicious code was loaded early during the logon process.
I started the disassembly with interest. It soon became clear that this was a
very unusual and well-executed attack targeting blind people. The attention to
detail and the programming style implies that the attacker was skilled,
possibly a professional programmer.
As with some other advanced malware, the Trojan processes are protected by
each other. The securityService.dll is protecting svchost.exe so it can not be
terminated using standard tools such as Task Manager and svchost shields
mci32.exe from deletion. This is a protection chain similar to the one seen in
some earlier variants of Troj/Zlob. Furthermore, the securityService.dll
registered a handler function which will get notified if the Registry key
"HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\securityService" is changed and restore its
previous values.
In other words, the removal of this beast is quite difficult, even if the
person cleaning up the system was not blind. The best thing would be to reboot
the system from a clean bootable media and remove all offending files, but that
may be out of the question since the accessibility features in most Linux
bootable CD distributions are not very good. The next best thing is to install
an anti-virus software that can remove the Trojan. Sophos Anti-Virus 7 detects
it as Troj/KillJWS-A and it can successfully remove the Trojan.
Next thing I wanted to check was the payload. If the discussion on ZoneBBS
was correct, the Trojan would prevent screen readers from working on 26
December 2007. I started looking for the time comparison and it did not take
too long to find this code snippet:
The payload trigger time is compared with the current system time converted
to the number of seconds expired since 1 January 1970. When converted to system
time, the long value used for comparison is exactly 26 December 2007 at 0:00
and the payload will be launched if the current system time is later than the
trigger time. The payload is relatively simple. The payload function enumerates
all processes and compares the names of the running processes with a list of
processes containing several well known text-to-speech programs such as Jaws,
Windows Eyes, Microsoft Narrator, HAL Screen Reader and Kurzweil.
Overall, this attack left me questioning the attacker's morality as it is
really difficult to imagine what would be the motivation for an attack like
this one. The attack does not seem to be financially motivated, although one
may think that the intention was to "punish" people using illegal copies of
JAWS software. All this makes me think that long prison sentences for malware
writers conducting attacks such as this one are not harsh as I used to believe.
Vanja Svajcer, SophosLabs, UK
******************************
When you give unto others
whether or not they give to you in return, It matters not for your job is
Complete and your rewards forthcoming.
robert Doc Wright
http://www.wrightplaceinc.net
msn
godfearer15@xxxxxxxxxxx
----- Original Message -----
From: Christine Menges
To: Doc
Sent: Thursday, January 24, 2008 5:20 PM
Subject: did you see this?
There is apparently a trojan horse (that's a particularly nasty
variety of malware) that disables a variety of products for people
with disabilities, but particularly JAWS, WindowEyes, Microsoft
Narrator, HAL, and Kurzweil. It was masquerading as a crack to
disable the software protection features of JAWS 9.0. See
http://www.sophos.com/security/blog/2008/01/998.html
for additional
information.
[Non-text portions of this message have been removed]
__._,_.___
Messages in this topic (1) Reply (via web post) | Start a new topic
Messages | Files | Photos | Links | Database | Polls | Calendar
Helpful Commands for this list
This list is set for replies to go to the sender only. To post to the entire
list, please consider sending your message to
mp3req@xxxxxxxxxxxxxxx
To Join
mp3req-subscribe@xxxxxxxxxxxxxxx
To Leave
mp3req-unsubscribe@xxxxxxxxxxxxxxx
To Go Nomail
mp3req-nomail@xxxxxxxxxxxxxxx
To Go Digest
mp3req-digest@xxxxxxxxxxxxxxx
To Return To Normal Mail
mp3req-normal@xxxxxxxxxxxxxxx
Please allow 24 hours for settings to take effect. You may also write a
member of Administration for assistance.
To reach any member of administration please write to
mp3req-owner@xxxxxxxxxxxxxxx
If you have a preference then write to these addresses
Bill R Johnson List Owner
eyecandy@xxxxxxxxxxxxxx
or at
wsvh7072@xxxxxxxxx
Chris Judd List Owner
chrischas0805@xxxxxxxxxxx
Or
Chasity Jackson List Owner at
chasityvanda@xxxxxxxxxxx
MARKETPLACE
------------------------------------------------------------------------------
Earn your degree in as few as 2 years - Advance your career with an AS, BS,
MS degree - College-Finder.net.
Change settings via the Web (Yahoo! ID required)
Change settings via email: Switch delivery to Daily Digest | Switch format to
Traditional
Visit Your Group | Yahoo! Groups Terms of Use | Unsubscribe Recent Activity
a.. 15New Members
Visit Your Group
Need traffic?
Drive customers
With search ads
on Yahoo!
Parenting Groups
on Yahoo! Groups
Single Parenting
to managing twins.
Dog Groups
on Yahoo! Groups
Share pictures &
stories about dogs.
.
__,_._,___
Other related posts:
