Activists in Iran and Syria targeted with malicious computer software
In February 2012 we learned that activists in Iran and Syria were targeted with two different types of malicious computer software. We received a copy of each malware, and Jonathan Tomek from ThreatGRID helped with the analysis.
How you get infected
The malicious software is spread as email attachments, and as files sent via Instant Messaging and Skype. The software looks like two completely harmless files; a Microsoft PowerPoint slide show and an image file. The malicious software will silently install itself on your computer when you open one of the files.
Malicious software, such as the two copies we analyzed, is normally designed to gather sensitive information and gain unauthorized access to a computer system. The seemingly harmless PowerPoint slide show turned out to be a keylogger, while the image file was really a backdoor, providing the attacker with full access to the system.
Both the keylogger and the backdoor will transfer data to www(dot)meroo(dot)no-ip(dot)org, on port 778. This domain name used to point to a server at a government-owned telecommunications company in Syria, but was later updated to point to a Linode server in London, UK. No-IP have since pointed the domain name to an invalid IP address (0.0.0.0).
Most anti-virus software will be able to detect and remove both the keylogger and the backdoor. You may try updating your anti-virus software, running it, and using it to remove the malware if anything pops up. However, the safest course of action is to re-install the operating system on your computer.
The EFF wrote a blog post called How to Find and Protect Yourself Against the Pro-Syrian-Government Malware on Your Computer. In the post, they recommend "that you take steps to protect yourself from being infected by not running any software received through e-mail, not installing software at all except over HTTPS, and not installing software from unfamiliar sources even if recommended by a pop-up ad or a casual recommendation from a friend.".
PowerPoint slide show: keylogger
When you first try to open the PowerPoint slide show, you will get a security warning asking if you really want to allow this file to run. The Name field points to the following executable file: C:\Program Files\Common Files\VMConvert32\wmccds.exe
If you ignore the warning and click Run, a self-extracting rar file will install the malware (the wmccds executable) onto your computer. The PowerPoint slide show will then open and you will see a series of images and some text in Farsi. The malware will not activate until you reboot your computer.
The first time you reboot, the malware will activate and start logging your keystrokes. If you are running Windows 7, you will see the same warning as mentioned above, and you have to click Run before the malware is actually activated. Older versions of Windows will not display this warning when you reboot.
The malware will modify the Windows startup script to ensure that the keylogger is always running when you are using the computer. The keylogger will affect your whole system, and it will even send the contents of your clipboard to the attacker. The Tor Browser Bundle does not protect you if you have a keylogger on your system.
Windows screen saver: backdoor
The Windows screen saver contains a type of malware that is a bit more complex than the one described above. When you run the Windows screen saver, it will start an image program and show you a picture (we saw a picture of a rifle, but that is not always the case). Meanwhile, the malicious software installs a backdoor onto your computer and opens a connection to www(dot)meroo(dot)no-ip(dot)org, using port 778.
The backdoor (1122333.exe in the Documents and Settings folder), which is similar to the DarkComet Remote Administration Tool, allows the attacker to connect to your computer and do anything that he or she wants, including logging keystrokes and acting as the system administrator. The malware will modify the Windows startup script to ensure that the connection is always open.
Comments
Please note that the comment area below has been archived.
It appears that this malware
It appears that this malware targets Windows computers exclusively. Is there similar Malware targeting Posix-compliant systems (e.g. Ubuntu Linux, Mac OS X, or other Unix systems)?
Sure there is (and it's easy
Sure there is (and it's easy to write your own) but in this instance there've only been reports about Windows malware. Both are very amateurish. Once can download them from google-able websites and customize them with a GUI. Ready-made keyloggers for *NIX exist as well. But making them less obvious as in this case (still displaying slides/images) would require a bit of coding. I suspect the real reason for only targeting Windows here is once again market share.
Bashar asad enemy of freedom
Bashar asad enemy of freedom and killer of childernes in syria <<< not stranger if he want to hackes the activites>>> bad man <
... yahoo changed its sh.it
... yahoo changed its sh.it posting system and tor can't take it, sh.it.
i am jewish and pro-netanjahu, MAN, MY BROTHER !!!
the israeli foreign minister said MONTHS ago already, that Israel is on the side
of the rebels, and that Assad massmurders his own people, i sum it up in a
nuthsell like that. IT'S TERRIBLE. TERRIBLE.
you ARE CORRECT. NO NAZI ARAB SPRING IN SYRIA. THERE IS REAL
REVOLUTION. USA is AGAINST ASSAD. he is ONLY backed by the EVIL
chinese government. WE HACKERS have NOW to BE AGAINST THOSE
20'000 CHINESE GOVERNMENT-HIRED "HACKERS", IDIOTS, and WE
HAVE TO RULE THE WORLD. WE WILL, AND WE CAN.
I am no hacker. But i would like to be. I am just a supporter. I hereby say that I
VOLUNTEER for TOR and also FOR THE PIRATE BAY. YOU ART MY
HIGHEST HEROES, ALL YOU PEOPLE OF TOR. I WOULD GIVE MY
VERY LIFE NOW FOR YOU. This is NOT a JOKE. VAN HALEN,
JUDGMENT DAY. :)
Hi . will these viruses show
Hi . will these viruses show in Run-Msconfig-Startup (where u see what apps start up with windows?) Is there anything suspicious in task manager (CTRL+ALT+DELETE)?
or is the only way to spot it with an antivirus software?
Tor bundle stopped in syria
Tor bundle stopped in syria in 4 april (yesterday ) using
Mac OSX any solution please
political background: I am
political background:
I am jewish, and my nose was broken by explicitly antisemite and pro-hitler
muzzie young fanatics. from tunesia/algeria/turkey, who now live in germany.
my almost whole family of the grandparents was massmurdered by hitler in
auschwitz.
at first, i didn't know anything about the current Bashar El-Assad, I remembered
he took office after Hafez, his father, died. I was sad for Hafez. So, at first, I
defended Assad. Since at least two months or three, I hear TERRIBLE STUFF
about Assad. EVEN Amnesty International, and since MONTHS already the
Israeli government, report about terrible massmurder to the Syrian population
committed by the Assad-Regime.
It's QUITE clear, that the Syrian government acts exactly like the chinese
completely nazi government, and that both those "government"'s actions are
100% abusive and against ALL human rights and against ALL dignity and
fairness and ethics, and that, on both the REAL and VIRTUAL levels. So did the
chinese government hire hackers who hacked into the US commerce center only
one month ago, and that's NOT and NOWHERE comparable to the good
individuals who join to computer clubs like the "ANON" hacker group. But
TOR has INFORMED people against "SOPA/PIPA/ACTA", those ACTS of
BIG BROTHER TOTAL CONTROL EVIL, and US CONGRESS on 24th of Jan.
2012 DID NOT adopt SOPA/PIPA, and Berlin some two months ago from now
beg. Apr. 2012, did NOT sign ACTA. WE WON. FOR NOW. But it all
continues. WE MUST WIN. FREEDOM MUST WIN. REAL TRUE
DEMOCRACY must win against WANTON EVIL NAZI OPRESSION. NAZIS
OPRESS INNOCENT PEOPLE, TORTURE THEM and KILL THEM --- US !!!
WE are ALL the VICTIMS, BUT WE SHAN'T ANYMORE be. ENOUGH is
ENOUGH. I SALUTE the PIRATE BAY and the SWEDISH KING, BUT THE
SWEDISH PRIME MINISTER IS AN ASSHOLE and WANTS TO KILL
JULIEN ASSANGE OUR KING !!! OUR KING !!!! MY KING !!!! BOOO
DOMSCHEITBERG, YOU ASSHOLE !!! YOU TRAITOR !!! YOU LIAR !!!