[AI] Fw: A Trojan Horse that targets Blindness Products

Amar Jain amarjain2006 at gmail.com
Sat Jan 26 03:13:14 EST 2008


Respected,
Thanks a lot for this very useful information.
Regards,
AMAR JAIN.
MOBILE:+91 9929 87 9006.
EMAILS:amarjain2006 at yahoo.co.in
amarjain2006 at rediff.com
amarjain2006 at gmail.com




----- Original Message ----- 
From: "Mamta" <mamtabc at accessindia.org.in>
To: <accessindia at accessindia.org.in>
Sent: Wednesday, January 23, 2008 11:36 PM
Subject: Re: [AI] Fw: A Trojan Horse that targets Blindness Products


> Thanks a lot for this vorning!
>
> How ever for those who want to read about this here is the content pasted
> below:
>
> 17 January 2008 16:29 GMT
>
> Blind computer users struck by a very unusual Trojan attack
>
> While I was
> investigating
> reports of the
> Troj/Mbroot-A
> Master Boot Record rootkit I decided to follow up on a suggestion seen on 
> a
> mailing list. It was suggested that an incident described on
> ZoneBBS
> forum may be related to the MBR trojan I was initially looking for.
>
> The thread contains a number of posts submitted by several very distressed
> forum members. According to their reports, they have been unable to use
> their
> Windows computers since Boxing Day. The news itself would not be very
> interesting if the forum members complaining about these incidents were 
> not
> blind.
> Their computers were rendered unusable because the software used to read 
> the
> screen text and convert it to speech suddenly stopped working. An
> interesting
> thing was that not all users were using the same screen reader software.
>
> I was quite keen to help, but the users had already managed to pinpoint 
> the
> culprit. It was a fake crack for
> JAWS 9.0
> screen reader software, one of the most popular screen readers. Allegedly,
> the crack did not just patch the JAWS executables to allow them to run
> without
> a legitimate licence, but it also installed a Trojan targeting JAWS and
> other popular screen readers.
>
> Thanks to
> Ryan Smith
> , a developer of accessible games who also created a tool to help the 
> users
> prevent the Trojan, I have managed to get the offending file. When I run 
> it
> through our automated analysis system I could immediately see that the 
> patch
> installs more than one would hope for. Three additional files were
> installed,
> two executables - mci32.exe in Windows and svchost.exe in the 
> Windows\Config
> folder. Furthermore, there was a DLL named securityService.dll in the 
> System
> folder. Suspicious registry activity triggered the detection in the
> HIPS
> portion of Sophos Anti-Virus 7.
>
> killjws2.jpg
>
> The dropped DLL was also registered with Winlogon process so that the
> malicious code was loaded early during the logon process.
>
> I started the disassembly with interest. It soon became clear that this 
> was
> a very unusual and well-executed attack targeting blind people. The
> attention
> to detail and the programming style implies that the attacker was skilled,
> possibly a professional programmer.
>
> As with some other advanced malware, the Trojan processes are protected by
> each other. The securityService.dll is protecting svchost.exe so it can 
> not
> be
> terminated using standard tools such as Task Manager and svchost shields
> mci32.exe from deletion. This is a protection chain similar to the one 
> seen
> in
> some earlier variants of Troj/Zlob. Furthermore, the securityService.dll
> registered a handler function which will get notified if the Registry key
> "HKLM\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify\securityService" is changed and restore
> its previous values.
>
> In other words, the removal of this beast is quite difficult, even if the
> person cleaning up the system was not blind. The best thing would be to
> reboot
> the system from a clean bootable media and remove all offending files, but
> that may be out of the question since the accessibility features in most
> Linux
> bootable CD distributions are not very good. The next best thing is to
> install an anti-virus software that can remove the Trojan. Sophos 
> Anti-Virus
> 7 detects
> it as
> Troj/KillJWS-A
> and it can successfully remove the Trojan.
>
> Next thing I wanted to check was the payload. If the discussion on ZoneBBS
> was correct, the Trojan would prevent screen readers from working on 26
> December
> 2007. I started looking for the time comparison and it did not take too 
> long
> to find this code snippet:
>
> Disassembly Troj/KillJWS-A
>
> The payload trigger time is compared with the current system time 
> converted
> to the number of seconds expired since 1 January 1970. When converted to
> system
> time, the long value used for comparison is exactly 26 December 2007 at 
> 0:00
> and the payload will be launched if the current system time is later than
> the trigger time. The payload is relatively simple. The payload function
> enumerates all processes and compares the names of the running processes
> with
> a list of processes containing several well known text-to-speech programs
> such as Jaws, Windows Eyes, Microsoft Narrator, HAL Screen Reader and
> Kurzweil.
>
> Overall, this attack left me questioning the attacker's morality as it is
> really difficult to imagine what would be the motivation for an attack 
> like
> this
> one. The attack does not seem to be financially motivated, although one 
> may
> think that the intention was to "punish" people using illegal copies of 
> JAWS
> software. All this makes me think that long prison sentences for malware
> writers conducting attacks such as this one are not harsh as I used to
> believe.
>
> Vanja Svajcer, SophosLabs, UK
>
> ----- Original Message ----From: "Vetrivel Adhimoolam"
> <vadhimoolam at gmail.com>
> To: <accessindia at accessindia.org.in>
> Sent: Wednesday, January 23, 2008 11:23 PM
> Subject: [AI] Fw: A Trojan Horse that targets Blindness Products
>
>
> Be aware!
>
> ----- Original Message ----- 
> From: Stephen Baum
> To: k1000 at listserv.kurzweiledu.com ; k3000 at listerv.kurzweiledu.com
> Sent: Wednesday, January 23, 2008 9:34 AM
> Subject: A Trojan Horse that targets Blindness Products
>
>
> This was brought to our attention by a customer, and we thought you
> should know about it.
>
> There is apparently a trojan horse (that's a particularly nasty
> variety of malware) that disables a variety of products for people
> with disabilities, but particularly JAWS, WindowEyes, Microsoft
> Narrator, HAL, and Kurzweil. It was masquerading as a crack to
> disable the software protection features of JAWS 9.0. See
> http://www.sophos.com/security/blog/2008/01/998.html for additional
> information.
>
> Stephen
>
> *******************************************************
> To find out how to unsubscribe, please visit:
> http://www.kurzweiledu.com/support_listserv_signup.asp
> To unsubscribe send a message to accessindia-request at accessindia.org.in 
> with
> the subject unsubscribe.
>
> To change your subscription to digest mode or make any other changes, 
> please
> visit the list home page at
>  http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
>
>
> To unsubscribe send a message to accessindia-request at accessindia.org.in 
> with the subject unsubscribe.
>
> To change your subscription to digest mode or make any other changes, 
> please visit the list home page at
>  http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in 





More information about the AccessIndia mailing list