Iranian anti-censorship software ‘Simurgh’ circulated with malicious backdoor



Simurgh is an Iranian stand-alone proxy software for Microsoft Windows. It has been used mainly by Iranian users to bypass censorship since 2009. The downloadable file is less than 1 MB and can be downloaded within a reasonable amount of time even with a slow internet connection, which makes it convenient for many users in Iran. Simurgh runs without prior installation or administrator privileges on the computer and therefore, can be copied and used from a USB flash drive on any shared computer (i.e Internet cafes).

Simurgh is available for free download from its official website https://simurghesabz.net. After running the executable file, a user interface (see below) opens. When the user clicks “Start”, Simurgh will attempt to establish a secure connection. The web browser will then open a new window to provide users with a test page, confirming their secure connection originating from a different country.

read on at the Link.

http://citizenlab.org/2012/05/iranian-anti-censorship-software-simurgh-circulated-with-malicious-backdoor-2/

http://nakedsecurity.sophos.com/2012/05/29/spying-trojan-targets-iranian-web-surfers-dissidents/

Spying Trojan targets Iranian and Syrian web surfers, dissidents

While the press is obsessed with the Flame malware, its complexity, size and the possibility that it may have targeted Iran, there is a far more nefarious piece of malicious code targeting Iranian citizens, not their government.

Late last week Morgan Marquis-Boire from CitizenLab.org discovered a tool used by Iranians to protect their privacy and by dissidents who fear oppression related to their online communications was being distributed with malware inside.

Many Iranians use a free encrypted proxy tool called Simurgh. It is also being adopted by anti-government groups in Syria, interested in concealing their online activities. The official version of Simurgh can be downloaded from the official website https://simurghesabz.net, but Trojanized versions called Simurgh-setup.zip have been appearing on file sharing sites for quite some time.

The real software is standalone and does not require installation, which is ideal for people who want to run it from a USB memory stick at cybercafes and other public access points.

Sophos detecting SimurghFortunately Sophos Anti-Virus proactively detected the malicious version as HIPS/RegMod-012 for customers who have our Host Intrusion Prevention System (HIPS) enabled. We have also released file-based detection as Mal/Generic-L.

Users who use a search engine to find Simurgh and download the infected version will be prompted with an installer screen, instead of the application itself when the file is executed.