Syrian opposition activists have been targeted by the government since the start of the massive anti-government protests in January 2011, but only recently they have began to worry about malware spying on their activities.
According to the CNN and Dlshad Othman, a software engineer that joined the regime opponents and helps them with their IT security, two separate pieces of malware have been discovered after a slew of activists got their computers compromised.
Variants of one of those – the simpler one – have also been been shared with Symantec, and their malware experts have concluded that it records and steals information from the dissidents’ computers and sends it to a server that belongs to the Syrian Telecommunications Establishment, a government-owned telecom company.
The appearance of this particular malicious software can be pinpointed to December 2011, and the discovery seems to corroborate Othman’s claim that since then, a number of opposition members complained to him about their computers getting infected.
The dissidents usually get the virus through compromised email accounts of other opposition members, or via online chats that they believe they are having with a fellow dissident, but are actually having with a government agent who hijacked the account.
The simpler malware – dubbed backdoor.breut by Symantec – is a Trojan that does not seem to have been written by a sophisticated hacker. Nevertheless, it tries to do a number of things: open a backdoor into the system, steal passwords and system information, log keystrokes, take screenshots, download additional malware and disable the notification of antivirus software present on the computer.
The more complex one is more adept at hiding. A former aid worker who travels to Syria a lot and has contacts among the dissidents says that she received it during a Skype chat that followed the aforementioned scenario.
When she opened the file, nothing happened. She assumed the file was damaged and proceeded to ignore the incident, but a couple of days later she realized her Facebook and e-mail accounts were hijacked.
She asked Othman and a colleague of his for help, and they discovered the Trojan on her computer. It had taken screenshots, recorded keystrokes and rooted through her computer for other information. It finally sent all of it to a remote server whose IP address has been obfuscated.
The reason why many antivirus software still don’t detect these two Trojans can be found in the fact that its spreading was very localized. In order to develop signatures for malware, AV researchers must first be able to analyze it, and it this case, not many knew this malware existed.