Keylogging Version of Anti-Censorship Software Simurgh Found

Type threatpost
Reporter Brian Donohue
Modified 2013-04-17T20:03:32


Citizen Lab found a compromised version of an anti-censorship tool that’s popular in Iran and Syria circulating with a backdoor installed.

The software, Simurgh, is described by Citizen Lab as a stand-alone proxy software for Microsoft Windows users. It was used predominantly by Iranians in the wake of the Green Revolution in 2009. However, according to the Citizen Lab report, more recently Simurgh has been widely recommended and circulated as a tool to circumvent Syrian government censorship in that country’s ongoing crackdown on dissidents.

The tool has been particularly helpful in these countries because the downloadable file is apparently less than 1 MB, making it a quick download, even in areas with weak or slow Internet connections. It also runs without prior installation or admin privileges and has been copied onto USB flash drives and spread through Internet cafes in these countries.

The compromised version does install the actual Simurgh software, but it also installs a type of backdoor with key-logging functionalities.

Citizen Lab is warning that if users find this trojan on their computer they can safely assume that all of their online accounts have been compromised, which is particularly troubling because the fake version of Simurgh appears, for the most part, to be targeting individuals that are attempting to evade government censorship. Citizen Lab advises that users of infected machines should perform a full reinstall and change all passwords to online accounts.

You can read some a more technical description of the backdoored version of Simurgh on Citizen Lab’s website.

SImurgh is aware of and warning users about the malicious version with a prominent message on their homepage. Citizen Lab also reached out to the site hosting the malicious version of Simurgh, who promptly removed it.