Internet users in Iran and Syria who try to get around censorship controls are being targeted by spyware, researchers from the University of Toronto have found.
The team discovered installation software for a proxy tool called Simurgh was also implanting keylogging spyware.
Simurgh software is used to keep the web users identity anonymous and allow them to gain access to blocked sites, but a corrupted version also adds a Trojan virus to the PC – sending data to a site registered with a Saudi Arabian ISP.
Data sent includes usernames, machine name, windows clicked and each keystroke entered.
Simurgh makers posted a message of warning on their website, suggesting versions of the software downloaded from file sharing site 4shared could have been compromised. Meanwhile, antivirus providers Sophos and Avira have updated their malware scanners to identify when the code is present.
“This Trojan has been specifically crafted to target people attempting to evade government censorship,” Morgan Marquis-Boire, a technical adviser in Toronto University’s Munk school of Global Affairs, said.
“If found to be installed on a computer one must consider all online accounts (email, banking etc) to have been compromised and it is advised that all online passwords be changed as soon as possible.”
The discovery comes following another malware attack in the Middle East – dubbed Flame – which sought to steal sensitive data.
“Unlike Flame, which is highly targeted malware that has only been found on a handful of computers globally, this malware is targeting users for whom having their communications compromised could result in imprisonment or worse,” Chester Wisniewski, senior security advisor at Sophos, wrote on the company’s blog.
“Many thousands depend on the legitimate Simurgh service, which makes it likely that far more people have been impacted by this malware.”