Activists in Iran and Syria targeted with malicious computer software

In February 2012 we learned that activists in Iran and Syria were targeted with two different types of malicious computer software. We received a copy of each malware, and Jonathan Tomek from ThreatGRID helped with the analysis.

How you get infected

The malicious software is spread as email attachments, and as files sent via Instant Messaging and Skype. The software looks like two completely harmless files; a Microsoft PowerPoint slide show and an image file. The malicious software will silently install itself on your computer when you open one of the files.

Malicious software, such as the two copies we analyzed, is normally designed to gather sensitive information and gain unauthorized access to a computer system. The seemingly harmless PowerPoint slide show turned out to be a keylogger, while the image file was really a backdoor, providing the attacker with full access to the system.

Both the keylogger and the backdoor will transfer data to www(dot)meroo(dot)no-ip(dot)org, on port 778. This domain name used to point to a server at a government-owned telecommunications company in Syria, but was later updated to point to a Linode server in London, UK. No-IP have since pointed the domain name to an invalid IP address (0.0.0.0).

Most anti-virus software will be able to detect and remove both the keylogger and the backdoor. You may try updating your anti-virus software, running it, and using it to remove the malware if anything pops up. However, the safest course of action is to re-install the operating system on your computer.

The EFF wrote a blog post called How to Find and Protect Yourself Against the Pro-Syrian-Government Malware on Your Computer. In the post, they recommend "that you take steps to protect yourself from being infected by not running any software received through e-mail, not installing software at all except over HTTPS, and not installing software from unfamiliar sources even if recommended by a pop-up ad or a casual recommendation from a friend.".

PowerPoint slide show: keylogger

When you first try to open the PowerPoint slide show, you will get a security warning asking if you really want to allow this file to run. The Name field points to the following executable file: C:\Program Files\Common Files\VMConvert32\wmccds.exe

If you ignore the warning and click Run, a self-extracting rar file will install the malware (the wmccds executable) onto your computer. The PowerPoint slide show will then open and you will see a series of images and some text in Farsi. The malware will not activate until you reboot your computer.

The first time you reboot, the malware will activate and start logging your keystrokes. If you are running Windows 7, you will see the same warning as mentioned above, and you have to click Run before the malware is actually activated. Older versions of Windows will not display this warning when you reboot.

The malware will modify the Windows startup script to ensure that the keylogger is always running when you are using the computer. The keylogger will affect your whole system, and it will even send the contents of your clipboard to the attacker. The Tor Browser Bundle does not protect you if you have a keylogger on your system.

Windows screen saver: backdoor

The Windows screen saver contains a type of malware that is a bit more complex than the one described above. When you run the Windows screen saver, it will start an image program and show you a picture (we saw a picture of a rifle, but that is not always the case). Meanwhile, the malicious software installs a backdoor onto your computer and opens a connection to www(dot)meroo(dot)no-ip(dot)org, using port 778.

The backdoor (1122333.exe in the Documents and Settings folder), which is similar to the DarkComet Remote Administration Tool, allows the attacker to connect to your computer and do anything that he or she wants, including logging keystrokes and acting as the system administrator. The malware will modify the Windows startup script to ensure that the connection is always open.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

It appears that this malware targets Windows computers exclusively. Is there similar Malware targeting Posix-compliant systems (e.g. Ubuntu Linux, Mac OS X, or other Unix systems)?

Sure there is (and it's easy to write your own) but in this instance there've only been reports about Windows malware. Both are very amateurish. Once can download them from google-able websites and customize them with a GUI. Ready-made keyloggers for *NIX exist as well. But making them less obvious as in this case (still displaying slides/images) would require a bit of coding. I suspect the real reason for only targeting Windows here is once again market share.

Bashar asad enemy of freedom and killer of childernes in syria <<< not stranger if he want to hackes the activites>>> bad man <

... yahoo changed its sh.it posting system and tor can't take it, sh.it.

i am jewish and pro-netanjahu, MAN, MY BROTHER !!!

the israeli foreign minister said MONTHS ago already, that Israel is on the side

of the rebels, and that Assad massmurders his own people, i sum it up in a

nuthsell like that. IT'S TERRIBLE. TERRIBLE.

you ARE CORRECT. NO NAZI ARAB SPRING IN SYRIA. THERE IS REAL

REVOLUTION. USA is AGAINST ASSAD. he is ONLY backed by the EVIL

chinese government. WE HACKERS have NOW to BE AGAINST THOSE

20'000 CHINESE GOVERNMENT-HIRED "HACKERS", IDIOTS, and WE

HAVE TO RULE THE WORLD. WE WILL, AND WE CAN.

I am no hacker. But i would like to be. I am just a supporter. I hereby say that I

VOLUNTEER for TOR and also FOR THE PIRATE BAY. YOU ART MY

HIGHEST HEROES, ALL YOU PEOPLE OF TOR. I WOULD GIVE MY

VERY LIFE NOW FOR YOU. This is NOT a JOKE. VAN HALEN,

JUDGMENT DAY. :)

Hi . will these viruses show in Run-Msconfig-Startup (where u see what apps start up with windows?) Is there anything suspicious in task manager (CTRL+ALT+DELETE)?

or is the only way to spot it with an antivirus software?

Tor bundle stopped in syria in 4 april (yesterday ) using
Mac OSX any solution please

political background:

I am jewish, and my nose was broken by explicitly antisemite and pro-hitler

muzzie young fanatics. from tunesia/algeria/turkey, who now live in germany.

my almost whole family of the grandparents was massmurdered by hitler in

auschwitz.

at first, i didn't know anything about the current Bashar El-Assad, I remembered

he took office after Hafez, his father, died. I was sad for Hafez. So, at first, I

defended Assad. Since at least two months or three, I hear TERRIBLE STUFF

about Assad. EVEN Amnesty International, and since MONTHS already the

Israeli government, report about terrible massmurder to the Syrian population

committed by the Assad-Regime.

It's QUITE clear, that the Syrian government acts exactly like the chinese

completely nazi government, and that both those "government"'s actions are

100% abusive and against ALL human rights and against ALL dignity and

fairness and ethics, and that, on both the REAL and VIRTUAL levels. So did the

chinese government hire hackers who hacked into the US commerce center only

one month ago, and that's NOT and NOWHERE comparable to the good

individuals who join to computer clubs like the "ANON" hacker group. But

TOR has INFORMED people against "SOPA/PIPA/ACTA", those ACTS of

BIG BROTHER TOTAL CONTROL EVIL, and US CONGRESS on 24th of Jan.

2012 DID NOT adopt SOPA/PIPA, and Berlin some two months ago from now

beg. Apr. 2012, did NOT sign ACTA. WE WON. FOR NOW. But it all

continues. WE MUST WIN. FREEDOM MUST WIN. REAL TRUE

DEMOCRACY must win against WANTON EVIL NAZI OPRESSION. NAZIS

OPRESS INNOCENT PEOPLE, TORTURE THEM and KILL THEM --- US !!!

WE are ALL the VICTIMS, BUT WE SHAN'T ANYMORE be. ENOUGH is

ENOUGH. I SALUTE the PIRATE BAY and the SWEDISH KING, BUT THE

SWEDISH PRIME MINISTER IS AN ASSHOLE and WANTS TO KILL

JULIEN ASSANGE OUR KING !!! OUR KING !!!! MY KING !!!! BOOO

DOMSCHEITBERG, YOU ASSHOLE !!! YOU TRAITOR !!! YOU LIAR !!!

Syndicate content Syndicate content