Respected, Thanks a lot for this very useful information. Regards, AMAR JAIN. MOBILE:+91 9929 87 9006. EMAILS:[EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
----- Original Message ----- From: "Mamta" <[EMAIL PROTECTED]> To: <accessindia@accessindia.org.in> Sent: Wednesday, January 23, 2008 11:36 PM Subject: Re: [AI] Fw: A Trojan Horse that targets Blindness Products > Thanks a lot for this vorning! > > How ever for those who want to read about this here is the content pasted > below: > > 17 January 2008 16:29 GMT > > Blind computer users struck by a very unusual Trojan attack > > While I was > investigating > reports of the > Troj/Mbroot-A > Master Boot Record rootkit I decided to follow up on a suggestion seen on > a > mailing list. It was suggested that an incident described on > ZoneBBS > forum may be related to the MBR trojan I was initially looking for. > > The thread contains a number of posts submitted by several very distressed > forum members. According to their reports, they have been unable to use > their > Windows computers since Boxing Day. The news itself would not be very > interesting if the forum members complaining about these incidents were > not > blind. > Their computers were rendered unusable because the software used to read > the > screen text and convert it to speech suddenly stopped working. An > interesting > thing was that not all users were using the same screen reader software. > > I was quite keen to help, but the users had already managed to pinpoint > the > culprit. It was a fake crack for > JAWS 9.0 > screen reader software, one of the most popular screen readers. Allegedly, > the crack did not just patch the JAWS executables to allow them to run > without > a legitimate licence, but it also installed a Trojan targeting JAWS and > other popular screen readers. > > Thanks to > Ryan Smith > , a developer of accessible games who also created a tool to help the > users > prevent the Trojan, I have managed to get the offending file. When I run > it > through our automated analysis system I could immediately see that the > patch > installs more than one would hope for. Three additional files were > installed, > two executables - mci32.exe in Windows and svchost.exe in the > Windows\Config > folder. Furthermore, there was a DLL named securityService.dll in the > System > folder. Suspicious registry activity triggered the detection in the > HIPS > portion of Sophos Anti-Virus 7. > > killjws2.jpg > > The dropped DLL was also registered with Winlogon process so that the > malicious code was loaded early during the logon process. > > I started the disassembly with interest. It soon became clear that this > was > a very unusual and well-executed attack targeting blind people. The > attention > to detail and the programming style implies that the attacker was skilled, > possibly a professional programmer. > > As with some other advanced malware, the Trojan processes are protected by > each other. The securityService.dll is protecting svchost.exe so it can > not > be > terminated using standard tools such as Task Manager and svchost shields > mci32.exe from deletion. This is a protection chain similar to the one > seen > in > some earlier variants of Troj/Zlob. Furthermore, the securityService.dll > registered a handler function which will get notified if the Registry key > "HKLM\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\Winlogon\Notify\securityService" is changed and restore > its previous values. > > In other words, the removal of this beast is quite difficult, even if the > person cleaning up the system was not blind. The best thing would be to > reboot > the system from a clean bootable media and remove all offending files, but > that may be out of the question since the accessibility features in most > Linux > bootable CD distributions are not very good. The next best thing is to > install an anti-virus software that can remove the Trojan. Sophos > Anti-Virus > 7 detects > it as > Troj/KillJWS-A > and it can successfully remove the Trojan. > > Next thing I wanted to check was the payload. If the discussion on ZoneBBS > was correct, the Trojan would prevent screen readers from working on 26 > December > 2007. I started looking for the time comparison and it did not take too > long > to find this code snippet: > > Disassembly Troj/KillJWS-A > > The payload trigger time is compared with the current system time > converted > to the number of seconds expired since 1 January 1970. When converted to > system > time, the long value used for comparison is exactly 26 December 2007 at > 0:00 > and the payload will be launched if the current system time is later than > the trigger time. The payload is relatively simple. The payload function > enumerates all processes and compares the names of the running processes > with > a list of processes containing several well known text-to-speech programs > such as Jaws, Windows Eyes, Microsoft Narrator, HAL Screen Reader and > Kurzweil. > > Overall, this attack left me questioning the attacker's morality as it is > really difficult to imagine what would be the motivation for an attack > like > this > one. The attack does not seem to be financially motivated, although one > may > think that the intention was to "punish" people using illegal copies of > JAWS > software. All this makes me think that long prison sentences for malware > writers conducting attacks such as this one are not harsh as I used to > believe. > > Vanja Svajcer, SophosLabs, UK > > ----- Original Message ----From: "Vetrivel Adhimoolam" > <[EMAIL PROTECTED]> > To: <accessindia@accessindia.org.in> > Sent: Wednesday, January 23, 2008 11:23 PM > Subject: [AI] Fw: A Trojan Horse that targets Blindness Products > > > Be aware! > > ----- Original Message ----- > From: Stephen Baum > To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] > Sent: Wednesday, January 23, 2008 9:34 AM > Subject: A Trojan Horse that targets Blindness Products > > > This was brought to our attention by a customer, and we thought you > should know about it. > > There is apparently a trojan horse (that's a particularly nasty > variety of malware) that disables a variety of products for people > with disabilities, but particularly JAWS, WindowEyes, Microsoft > Narrator, HAL, and Kurzweil. It was masquerading as a crack to > disable the software protection features of JAWS 9.0. See > http://www.sophos.com/security/blog/2008/01/998.html for additional > information. > > Stephen > > ******************************************************* > To find out how to unsubscribe, please visit: > http://www.kurzweiledu.com/support_listserv_signup.asp > To unsubscribe send a message to [EMAIL PROTECTED] > with > the subject unsubscribe. > > To change your subscription to digest mode or make any other changes, > please > visit the list home page at > http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in > > > To unsubscribe send a message to [EMAIL PROTECTED] > with the subject unsubscribe. > > To change your subscription to digest mode or make any other changes, > please visit the list home page at > http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in To unsubscribe send a message to [EMAIL PROTECTED] with the subject unsubscribe. To change your subscription to digest mode or make any other changes, please visit the list home page at http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
