Occupy Boston Gets Legal Cover, But Not All Protesters Like It

The Boston Occupy protest at Dewey Square is at the heart of a court battle over whether Occupying is protected by the First Amendment. Photo: Quinn Norton/Wired

Occupy Boston finds itself in an odd position — it’s actually protected from eviction by a judge, but some participants aren’t selling out by signing on to the authority of a system they are protesting.

On Nov. 15, the same day that the NYPD raided and evicted Occupy Wall Street, the National Lawyers Guild and Massachusetts ACLU went to court to get an order preventing Boston police from evicting Occupy Boston from its space at Dewey Square, underneath Boston’s iconic Federal Reserve building.

The move was considered to be approved by Occupy Boston’s General Assembly — the collective decision-making body of the occupations, according to K. Eric Martin, one of the occupiers and a plaintiff in the case.

“The legal team had already put forth a proposal to the General Assembly that was passed a few weeks prior to prepare legal action for the imminent threat of eviction,” he said. “They acted on that previous general assembly approval, went forward and filed the paperwork.”

The city protested that an injunction was premature and that they’d need the element of surprise for an easier, safer eviction if they did choose to remove the occupation.

Judge Frances McIntyre appeared dismayed by this argument, according to Martin, and was sympathetic to the plaintiff’s argument that occupying the park physically is a free-speech issue.

In her Nov. 17 ruling granting the restraining order, McIntyre wrote, “Unlike the circumstance involving Zuccotti Park in New York and Occupy Wall Street, it is undisputed that Dewey Park is a traditional public forum.”

Beware of Your Holiday Travel E-Ticket Confirmation

How does Symantec know it's the week of Thanksgiving? Because as the busiest travel day of the year day quickly approaches, the day just before Thanksgiving , there is a surge in fake email ticket confirmations that lead to viruses.

Here is what a fake airline message looks like:

If you inspect the HTML coding for this message carefully, you will notice a malicious link in the anchor tag:

This link redirects to a known malware-hosting site in Russia which previously hosted Trojan.Maljava. Trojan.Maljava is a detection name used by Symantec to identify malicious Java files that exploit one or more vulnerabilities, one of many threats awaiting an unsuspecting user.

So before you click through emails during the holiday rush, here are some best practices to protect yourself from these types of malicious email attacks:

  • Be selective about websites you give your email address to.
  • Before entering personal or financial details online, ensure the website has SSL encryption (look for things like HTTPS, a padlock, or a green address bar).
  • Avoid clicking on suspicious links in email or instant messages as these may be links to spoofed websites. We suggest typing Web addresses directly into the browser rather than relying upon links within your messages.
  • Do not open spam messages.
  • Do not reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.
  • Do not open unknown email attachments. These attachments could compromise your computer.
  • Always be sure that your operating system is up-to-date with the latest updates and use a comprehensive security suite. For details on Symantec’s offerings, visit http://www.symantec.com.

Senator Promises To Filibuster Internet Blacklisting Bill

Sen. Ron Wyden (D-Oregon) promised Monday to filibuster a controversial Senate proposal that greatly expands the government’s ability to shutter and disrupt websites “dedicated to infringing activities.”

The Protect IP Act, similar to the House’s Stop Online Piracy Act, largely grant rights holders the unfettered power to effectively kill websites they believe are dedicated to infringing activities — all in a bid to combat piracy.

Wyden tried to kill the bill six months ago by putting a hold on it, a rarely used Senate rule (.pdf) allowing one senator to block a measure from a floor vote.

But Wyden’s office reports Monday that there’s movement afoot to undo that hold, 60 Senate votes are needed. And the vote could come following the Thanksgiving holiday.

If PIPA reaches the floor, Wyden promises he will exercise another Senate rule: the filibuster.

Instead of reading the telephone book, he would read the names of Americans opposed to the measure lodged at stopcensorship.org, Jennifer Hoelzer, Wyden’s spokeswoman said in a telephone interview.

“Right now our focus is trying to get this from coming to the floor,” Hoelzer said.

When Wyden blocked the bill, he said: “By ceding control of the internet to corporations through a private right of action, and to government agencies that do not sufficiently understand and value the internet, PIPA represents a threat to our economic future and to our international objectives.”

The measures also boost the government’s authority to disrupt and shutter websites that hawk or host trademark- and copyright-infringing products, including allowing the government to order sites removed from search engines. They allow the Justice Department to obtain court orders demanding American ISPs to blacklist websites via DNS. That’s a feature even the bill’s main House backer conceded Wednesday was problematic for a host of reasons, including it being a threat to a secure and uniform internet.

The Senate measure was voted out of the Senate Judiciary committee in May, and Wyden placed a hold on it.

The House version had its first hearing last week. No vote was taken to send it to the full House.

Click to stopcenshorship.org to oppose the legislation.

ZeroAccess Rootkit Launched by Signed Installers

Digital certificates and certificate authorities have been much in the news recently. Attacks–such as those used by Stuxnet, Duqu, and other malware–involving stolen certificates show an increasingly worrisome new security trend.

Certificate authorities have been targeted several times in the recent past with some success. There is a large chunk of known malware signed by apparently legitimate companies that appear to have authored malware, adware, and/or potentially unwanted programs. As a matter of fact, a very significant percentage of recent malware executables (as high as 5 percent) purport to be, or are, signed with some sort of certificate. Even in the case of mobile malware, signed executables have appeared because issuers have failed to see the malware in the files before approving them. This attention to certificates by malware authors seems to validate that they are indeed the “keys to the kingdom.”

A few days ago, we first saw a new attack that turned out to be variants of the infamous ZeroAccess rootkit, launched by digitally signed installers and uninstallers. In the cases observed so far, the signed application is a valid program–such as the installer for recent Flash Player versions, as shown below.

As eager as vendors are to patch vulnerabilities, users are likewise eager to keep themselves protected. This gives the malware author an opportunity to prey on this (real or perceived) fear and, with that, the assumption by the user that whatever is signed must be trustworthy. The challenge for malware authors is how to supply victims with a legitimately signed, unmodified application that supports their nefarious purposes?

The answer lies in the imported DLLs (Dynamic Link Libraries) and their references. In 1998, the Lorez virus used a simple trick.[1] It infected the Kernel32.DLL module of Windows by copying it to the Windows folder from its usual known location. On startup, Windows would load this DLL instead of the original, clean file, because LoadLibrary() API first searches in the current directory for library files.

This attack got a lot of attention last year when it was newly “discovered,” and Microsoft issued a possible fix using a registry key.[2] This registry entry was supposed to control the operating system functions and prevent this behavior. One of the issues (in rare cases) with this fix is that it can potentially break the functionality of some applications.

In the past, it appears that the DLL preload method was targeted by early variants of this malware to allow installation with legitimate applications. Below we see what appears to be a fix implemented by a well-known browser to bypass illegitimate DLLs that have been placed in the same directory to take advantage of this condition.

In more recent variants we see that dummy functions have been added to the DLL that bypass this check:

Now, even more recent versions look to be taking aim at the trust model that certificates use.

Below we see how the ZeroAccess package may look in a designated folder on a test machine.

The actual malware file pretends to be msimg32.dll. Known variants of this module are detected by McAfee as ZeroAccess.dr. The Flash Player installer is indirectly referencing the “msimg32.dll” via its imports. See dependencies below:

When the user executes the installer, the malicious, mimicked DLL will load. This DLL preload issue is due to the system’s normally looking at the current directory for any DLL dependencies necessary for the executable. If it can find the module in the current directory, it will load it–moving to the defined path only as necessary. As we already stated, this is far from the first time anyone has seen this happen.

To a user, the reputation of the signed file looks correct, as most likely there are millions of users for it. However, when the two files get packaged together by the attackers, the ZeroAccess rootkit will be installed from the extra DLL. (This DLL is not signed in the variants we have observed so far.) Once executed, the installation begins, and code is injected into svchost.exe, which in turn will run ping.exe and inject extra code into it. So what we see is that a legitimate, trusted file is abused to allow behavior blocking and the bypassing of the personal firewall. ZeroAccess is now installed as a by-product of the trust placed in a signed application. Let us be clear: This issue lies not with any particular vendor, but with the usage of a signed executable that compromises the user’s trust in the signature itself.

ZeroAccess is known to be very difficult to remove from system. It has a variety of techniques to fight against antivirus and security products, and can do so generically. Previously, we discussed how the rootkit can generically kill AV and security products, using user mode APC calls from kernel mode.[3] This attack is very serious, and successful against most targets.

This version of ZeroAccess uses another neat trick to also generically target certain security products. Once ZeroAccess is loaded, it prevents the execution of several security products by mimicking a load error. Upon execution, the user will see an error message similar to this:

Several installers and uninstallers have been observed, with variants of ZeroAccess. Those that we are aware of can be cleaned with the free McAfee Labs tool RootkitRemover, which is available for download.[4]

Once RootkitRemover detects the threat, it will report a manner similar to what we see below, as it replaces known files with itself in the Windows drivers directory.


    1. “Breaking the Lorez,” Peter Szor, Virus Bulletin, October 1998 (available at www.peterszor.com/lorez.pdf)
    2. Microsoft Knowledgebase Article on DLL load control: http://support.microsoft.com/kb/2264107
    3. “Asynchronous Harakiri++,” Peter Szor and Rachit Mathur, Virus Bulletin, October 2011
    4. Free ZeroAccess removal tool from McAfee Labs, RootkitRemover, available at http://vil.nai.com/images/562354_4.zip