RE: Fwd: [Aebc] Virus/Trojan targets blind computer users

  • From: RAWest <rawest@xxxxxxxxxxxxx>
  • To: jfw@xxxxxxxxxxxxx
  • Date: Tue, 22 Jan 2008 14:26:31 -0500

On December 3, 2007 there were email sent out to members of the jaws lite
news group, and the jfw@xxxxxxxxxxxxx groups

Could have been other but these are 2 that I know of.

This email provided a link to a jaws authorization crack for versions 8 and
9.

Since FS does not email updates it should have been treated with caution.

some on both lists went and installed it and Ridiculed others for condemning
it's validity.

So I guess now the chicken has come home to roost.

Always use the Jaws update tool to get updates from FS

Robert
 

-----Original Message-----
From: jfw-bounce@xxxxxxxxxxxxx [mailto:jfw-bounce@xxxxxxxxxxxxx] On Behalf
Of Peter
Sent: Tuesday, January 22, 2008 12:16 PM
To: jfw@xxxxxxxxxxxxx
Subject: Re: Fwd: [Aebc] Virus/Trojan targets blind computer users

I don't remember this running wild on the list. What was it, what was the
subject heading in case I've done anything to get it on here.

Peter

--------------------------------------------------
From: "James Homuth" <james@xxxxxxxxxxx>
Sent: Tuesday, January 22, 2008 4:33 PM
To: <jfw@xxxxxxxxxxxxx>
Subject: Fwd: [Aebc] Virus/Trojan targets blind computer users

> Since this was running wild on the JFW list a few weeks back, I 
> thought it worthwhile to share that yes, there is a fix for it and 
> yes, it is being looked at by more than just the blind/visually impaired
community.
>
> James,
> List Admin
>>X-Original-To: james@xxxxxxxxxxx
>>Delivered-To: quanin@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>X-DH-Virus-Scanned: Debian amavisd-new at gladiator.dreamhost.com
>>X-Spam-Score: 0
>>X-Spam-Level:
>>X-Spam-Status: No, score=0 tagged_above=-999 required=1 tests=[none]
>>From: "Anthony Tibbs" <anthony-list@xxxxxxxx>
>>To: <aebc@xxxxxxxxxxxxxxxxx>, <lvottawa@xxxxxxxxxxxxxxx>
>>Date: Tue, 22 Jan 2008 11:21:37 -0500
>>X-Mailer: Microsoft Outlook Express 6.00.2900.3138
>>X-Spam-Bar: -
>>X-Content-Filtered-By: Mailman/MimeDel 2.1.9.cp2
>>Subject: [Aebc] Virus/Trojan targets blind computer users
>>X-BeenThere: aebc@xxxxxxxxxxxxxxxxx
>>X-Mailman-Version: 2.1.9.cp2
>>List-Id: AEBC sponsered mailing list
>><aebc_blindcanadians.ca.blindcanadians.ca>
>>List-Unsubscribe: 
>><http://blindcanadians.ca/mailman/listinfo/aebc_blindcanadians.ca>,
>>         <mailto:aebc-request@xxxxxxxxxxxxxxxxx?subject=unsubscribe>
>>List-Archive: 
>><http://blindcanadians.ca/mailman/private/aebc_blindcanadians.ca>
>>List-Post: <mailto:aebc@xxxxxxxxxxxxxxxxx>
>>List-Help: <mailto:aebc-request@xxxxxxxxxxxxxxxxx?subject=help>
>>List-Subscribe: 
>><http://blindcanadians.ca/mailman/listinfo/aebc_blindcanadians.ca>,
>>         <mailto:aebc-request@xxxxxxxxxxxxxxxxx?subject=subscribe>
>>Sender: aebc-bounces@xxxxxxxxxxxxxxxxx
>>X-AntiAbuse: This header was added to track abuse, please include it 
>>with any abuse report
>>X-AntiAbuse: Primary Hostname - planet01.on1site.com
>>X-AntiAbuse: Original Domain - the-jdh.com
>>X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
>>X-AntiAbuse: Sender Address Domain - blindcanadians.ca
>>X-Source:
>>X-Source-Args:
>>X-Source-Dir:
>>
>>http://www.sophos.com:80/security/blog/2008/01/998.html
>>
>>17 January 2008 16:29 GMT
>>
>>Blind computer users struck by a very unusual Trojan attack While I 
>>was investigating reports of the Troj/Mbroot-A Master Boot Record 
>>rootkit I decided to follow up on a suggestion seen on a mailing list. 
>>It was suggested that an incident described on ZoneBBS forum may be 
>>related to the MBR trojan I was initially looking for.
>>
>>The thread contains a number of posts submitted by several very 
>>distressed forum members. According to their reports, they have been 
>>unable to use their Windows computers since Boxing Day. The news 
>>itself would not be very interesting if the forum members complaining 
>>about these incidents were not blind. Their computers were rendered 
>>unusable because the software used to read the screen text and convert 
>>it to speech suddenly stopped working. An interesting thing was that 
>>not all users were using the same screen reader software.
>>
>>I was quite keen to help, but the users had already managed to 
>>pinpoint the culprit. It was a fake crack for JAWS 9.0 screen reader 
>>software, one of the most popular screen readers. Allegedly, the crack 
>>did not just patch the JAWS executables to allow them to run without a 
>>legitimate licence, but it also installed a Trojan targeting JAWS and 
>>other popular screen readers.
>>
>>Thanks to Ryan Smith, a developer of accessible games who also created 
>>a tool to help the users prevent the Trojan, I have managed to get the 
>>offending file. When I run it through our automated analysis system I 
>>could immediately see that the patch installs more than one would hope 
>>for. Three additional files were installed, two executables - 
>>mci32.exe in Windows and svchost.exe in the Windows\Config folder. 
>>Furthermore, there was a DLL named securityService.dll in the System 
>>folder. Suspicious registry activity triggered the detection in the 
>>HIPS portion of Sophos Anti-Virus 7.
>>
>>
>>
>>The dropped DLL was also registered with Winlogon process so that the 
>>malicious code was loaded early during the logon process.
>>
>>I started the disassembly with interest. It soon became clear that 
>>this was a very unusual and well-executed attack targeting blind 
>>people. The attention to detail and the programming style implies that 
>>the attacker was skilled, possibly a professional programmer.
>>
>>As with some other advanced malware, the Trojan processes are 
>>protected by each other. The securityService.dll is protecting 
>>svchost.exe so it can not be terminated using standard tools such as 
>>Task Manager and svchost shields mci32.exe from deletion. This is a 
>>protection chain similar to the one seen in some earlier variants of 
>>Troj/Zlob. Furthermore, the securityService.dll registered a handler 
>>function which will get notified if the Registry key 
>>"HKLM\SOFTWARE\Microsoft\Windows 
>>NT\CurrentVersion\Winlogon\Notify\securityService" is changed and restore
its previous values.
>>
>>In other words, the removal of this beast is quite difficult, even if 
>>the person cleaning up the system was not blind. The best thing would 
>>be to reboot the system from a clean bootable media and remove all 
>>offending files, but that may be out of the question since the 
>>accessibility features in most Linux bootable CD distributions are not 
>>very good. The next best thing is to install an anti-virus software 
>>that can remove the Trojan. Sophos Anti-Virus 7 detects it as 
>>Troj/KillJWS-A and it can successfully remove the Trojan.
>>
>>Next thing I wanted to check was the payload. If the discussion on 
>>ZoneBBS was correct, the Trojan would prevent screen readers from 
>>working on 26 December 2007. I started looking for the time comparison 
>>and it did not take too long to find this code snippet:
>>
>>
>>
>>The payload trigger time is compared with the current system time 
>>converted to the number of seconds expired since 1 January 1970. When 
>>converted to system time, the long value used for comparison is 
>>exactly 26 December 2007 at 0:00 and the payload will be launched if 
>>the current system time is later than the trigger time. The payload is 
>>relatively simple. The payload function enumerates all processes and 
>>compares the names of the running processes with a list of processes 
>>containing several well known text-to-speech programs such as Jaws, 
>>Windows Eyes, Microsoft Narrator, HAL Screen Reader and Kurzweil.
>>
>>Overall, this attack left me questioning the attacker's morality as it 
>>is really difficult to imagine what would be the motivation for an 
>>attack like this one. The attack does not seem to be financially 
>>motivated, although one may think that the intention was to "punish" 
>>people using illegal copies of JAWS software. All this makes me think 
>>that long prison sentences for malware writers conducting attacks such 
>>as this one are not harsh as I used to believe.
>>
>>Vanja Svajcer, SophosLabs, UK
>>
>>To unsubscribe from the list, send an email to:
>>
>>aebc-unsubscribe@xxxxxxxxxxxxxxxxx
>>
>>Leave the body and subject fields blank.  You will receive a message 
>>back asking you to confirm this action.  Simply reply to the message 
>>leaving the body and subject of the message in tact.
>>
>>
>>This mailing list is sponsored by The Alliance for Equality of Blind 
>>Canadians For More Information Please call 1 800 561 4774 Or visit our 
>>web site at www.BlindCanadians.ca
>>
>>Disclaimer Neither the AEBC or this list moderator will be held 
>>responsible for material posted on this list. ''If you say it, then 
>>you are responsible for it.''
>>Messages are posted as they were intended by the author!
>
> --
> JFW related links:
> JFW homepage: http://www.freedomscientific.com/ Scripting mailing 
> list:
> http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.com
> JFW List instructions:
> To post a message to the list, send it to jfw@xxxxxxxxxxxxx To 
> unsubscribe from this mailing list, send a message to 
> jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.
> Archives located at: //www.freelists.org/archives/jfw
>
> If you have any concerns about the list, post received from the list, 
> or the way the list is being run, do not post them to the list. Rather 
> contact the list owner at jfw-admins@xxxxxxxxxxxxxx
> 
--
JFW related links:
JFW homepage: http://www.freedomscientific.com/ Scripting mailing list:
http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.com
JFW List instructions:
To post a message to the list, send it to jfw@xxxxxxxxxxxxx To unsubscribe
from this mailing list, send a message to jfw-request@xxxxxxxxxxxxx with the
word unsubscribe in the subject line.
Archives located at: //www.freelists.org/archives/jfw

If you have any concerns about the list, post received from the list, or the
way the list is being run, do not post them to the list. Rather contact the
list owner at jfw-admins@xxxxxxxxxxxxxx

--
JFW related links:
JFW homepage: http://www.freedomscientific.com/
Scripting mailing list: 
http://lists.the-jdh.com/listinfo.cgi/scriptography-the-jdh.com
JFW List instructions:
To post a message to the list, send it to jfw@xxxxxxxxxxxxx
To unsubscribe from this mailing list, send a message to 
jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.
Archives located at: //www.freelists.org/archives/jfw

If you have any concerns about the list, post received from the list, or the 
way the list is being run, do not post them to the list. Rather contact the 
list owner at jfw-admins@xxxxxxxxxxxxxx

Other related posts: