[AI] Fw: A Trojan Horse that targets Blindness Products

Mamta mamtabc at accessindia.org.in
Wed Jan 23 13:06:35 EST 2008


Thanks a lot for this vorning!

How ever for those who want to read about this here is the content pasted 
below:

17 January 2008 16:29 GMT

Blind computer users struck by a very unusual Trojan attack

While I was
investigating
 reports of the
Troj/Mbroot-A
 Master Boot Record rootkit I decided to follow up on a suggestion seen on a 
mailing list. It was suggested that an incident described on
ZoneBBS
 forum may be related to the MBR trojan I was initially looking for.

The thread contains a number of posts submitted by several very distressed 
forum members. According to their reports, they have been unable to use 
their
Windows computers since Boxing Day. The news itself would not be very 
interesting if the forum members complaining about these incidents were not 
blind.
Their computers were rendered unusable because the software used to read the 
screen text and convert it to speech suddenly stopped working. An 
interesting
thing was that not all users were using the same screen reader software.

I was quite keen to help, but the users had already managed to pinpoint the 
culprit. It was a fake crack for
JAWS 9.0
 screen reader software, one of the most popular screen readers. Allegedly, 
the crack did not just patch the JAWS executables to allow them to run 
without
a legitimate licence, but it also installed a Trojan targeting JAWS and 
other popular screen readers.

Thanks to
Ryan Smith
, a developer of accessible games who also created a tool to help the users 
prevent the Trojan, I have managed to get the offending file. When I run it
through our automated analysis system I could immediately see that the patch 
installs more than one would hope for. Three additional files were 
installed,
two executables - mci32.exe in Windows and svchost.exe in the Windows\Config 
folder. Furthermore, there was a DLL named securityService.dll in the System
folder. Suspicious registry activity triggered the detection in the
HIPS
 portion of Sophos Anti-Virus 7.

killjws2.jpg

The dropped DLL was also registered with Winlogon process so that the 
malicious code was loaded early during the logon process.

I started the disassembly with interest. It soon became clear that this was 
a very unusual and well-executed attack targeting blind people. The 
attention
to detail and the programming style implies that the attacker was skilled, 
possibly a professional programmer.

As with some other advanced malware, the Trojan processes are protected by 
each other. The securityService.dll is protecting svchost.exe so it can not 
be
terminated using standard tools such as Task Manager and svchost shields 
mci32.exe from deletion. This is a protection chain similar to the one seen 
in
some earlier variants of Troj/Zlob. Furthermore, the securityService.dll 
registered a handler function which will get notified if the Registry key 
"HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\securityService" is changed and restore 
its previous values.

In other words, the removal of this beast is quite difficult, even if the 
person cleaning up the system was not blind. The best thing would be to 
reboot
the system from a clean bootable media and remove all offending files, but 
that may be out of the question since the accessibility features in most 
Linux
bootable CD distributions are not very good. The next best thing is to 
install an anti-virus software that can remove the Trojan. Sophos Anti-Virus 
7 detects
it as
Troj/KillJWS-A
 and it can successfully remove the Trojan.

Next thing I wanted to check was the payload. If the discussion on ZoneBBS 
was correct, the Trojan would prevent screen readers from working on 26 
December
2007. I started looking for the time comparison and it did not take too long 
to find this code snippet:

Disassembly Troj/KillJWS-A

The payload trigger time is compared with the current system time converted 
to the number of seconds expired since 1 January 1970. When converted to 
system
time, the long value used for comparison is exactly 26 December 2007 at 0:00 
and the payload will be launched if the current system time is later than
the trigger time. The payload is relatively simple. The payload function 
enumerates all processes and compares the names of the running processes 
with
a list of processes containing several well known text-to-speech programs 
such as Jaws, Windows Eyes, Microsoft Narrator, HAL Screen Reader and 
Kurzweil.

Overall, this attack left me questioning the attacker's morality as it is 
really difficult to imagine what would be the motivation for an attack like 
this
one. The attack does not seem to be financially motivated, although one may 
think that the intention was to "punish" people using illegal copies of JAWS
software. All this makes me think that long prison sentences for malware 
writers conducting attacks such as this one are not harsh as I used to 
believe.

Vanja Svajcer, SophosLabs, UK

----- Original Message ----From: "Vetrivel Adhimoolam" 
<vadhimoolam at gmail.com>
To: <accessindia at accessindia.org.in>
Sent: Wednesday, January 23, 2008 11:23 PM
Subject: [AI] Fw: A Trojan Horse that targets Blindness Products


Be aware!

----- Original Message ----- 
From: Stephen Baum
To: k1000 at listserv.kurzweiledu.com ; k3000 at listerv.kurzweiledu.com
Sent: Wednesday, January 23, 2008 9:34 AM
Subject: A Trojan Horse that targets Blindness Products


This was brought to our attention by a customer, and we thought you
should know about it.

There is apparently a trojan horse (that's a particularly nasty
variety of malware) that disables a variety of products for people
with disabilities, but particularly JAWS, WindowEyes, Microsoft
Narrator, HAL, and Kurzweil. It was masquerading as a crack to
disable the software protection features of JAWS 9.0. See
http://www.sophos.com/security/blog/2008/01/998.html for additional
information.

Stephen

*******************************************************
To find out how to unsubscribe, please visit:
http://www.kurzweiledu.com/support_listserv_signup.asp
To unsubscribe send a message to accessindia-request at accessindia.org.in with 
the subject unsubscribe.

To change your subscription to digest mode or make any other changes, please 
visit the list home page at
  http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in 





More information about the AccessIndia mailing list