Iranians and Syrians that search the web for a popular censorship evading proxy, ‘Simurgh’, are at risk of downloading a fake, trojanised version of the privacy tool. s Canadian digital and human rights group Citizen Lab last week warned that a fake version of the Iranian ‘Simurgh’ proxy contained a backdoor, which could, by way of a keylogger, lead to the user’s identification.
Green Simurgh (Pheonix) is free service for Windows PCs that connects to a US IP address and is promoted in Iran as a means to privately bypass the nation’s strict web censorship regime.
Citizen Lab says it became aware of the tricked version of the proxy after Simurgh was circulated amongst internet users from Iran’s troubled regional neighbour, Syria.
Simrugh warns on its official site simrghesabz.net that malicious versions of its proxy software have been found on popular online storage site, 4Shared.
The fake version launches an installer that implants a remote access tool and trojan that silences the ‘click’ navigation sound in Internet Explorer browsers and logs user keystrokes.
“The real software is standalone and does not require installation, which is ideal for people who want to run it from a USB memory stick at cybercafes and other public access points,” says Sophos senior security advisor, Chester Wisniewski.
Citizen Labs’ technical advisor, Morgan Marquis-Boire said the keystroke logs are sent to a Saudi Arabian ISP, however Wisniewski clarified the logs are actually sent to servers hosted in the US that appear to be registered to an entity in Saudi Arabia.
Wherever it is going, Citizen Labs’ technical advisor, Morgan Marquis-Boire points out that it has clearly defined targets.
“This Trojan has been specifically crafted to target people attempting to evade government censorship. Given the intended purpose of this software, users must be very careful if they have been infected by this Trojan.”