A compromised variant of Simurgh – a stand-alone proxy software for Microsoft Windows that has been heavily used by Iranians to get around censorship since 2009, and is used now by Syrian dissidents – has been discovered by the researchers from Citizen Lab.
This version does install Simurgh, but it also installs a backdoor on the victims’ computer.
Among the other files dropped onto the computers is one executable that allows the Trojan to persist on the machine, collect the IP address, hostname and victim username, and log keystrokes. These logs are then sent via HTTP post request to a remote site registered with a Saudi Arabian ISP.
The popularity of Simurgh rests in its small size (around 1MB), which makes it easy to download it speedily. It is also able to run without prior installation or administrator privileges, and it’s easy to share with others via USB drives.
The researchers have alerted the webmasters of the site that hosted the Trojanized variant, and they have since removed it.
Simurgh’s developers have also set up a warning in Arabic, Farsi and English on their website, and have shared the MD5 checksums of the legitimate and of the malicious files, so that users can verify what they have downloaded.
Simurgh, once started, opens up a test page in order to confirm the establishment of a secure connection. Those users who might be compromised will see another warning:
“If this Trojan is found to be installed on a computer one must consider all online accounts (e-mail, banking, etc.) to have been compromised and it is advised that all online passwords be changed as soon as possible,” the researchers warn. “While this Trojan is detected by most anti-virus software as malicious, AV software cannot always be guaranteed to clean up an infected system and a full re-install is suggested.”
“This Trojan has been specifically crafted to target people attempting to evade government censorship. Given the intended purpose of this software, users must be very careful if they have been infected by this Trojan.”