Iranian anti-censorship software ‘Simurgh’ circulated with malicious backdoor-CitizenLab
May 27, 2012
CitizenLab: May 25, 2012
Simurgh is an Iranian stand-alone proxy software for Microsoft Windows. It has been used mainly by Iranian users to bypass censorship since 2009. The downloadable file is less than 1 MB and can be downloaded within a reasonable amount of time even with a slow internet connection, which makes it convenient for many users in Iran. Simurgh runs without prior installation or administrator privileges on the computer and therefore, can be copied and used from a USB flash drive on any shared computer (i.e Internet cafes).
Simurgh is available for free download from its official website https://simurghesabz.net. After running the executable file, a user interface (see below) opens. When the user clicks “Start”, Simurgh will attempt to establish a secure connection. The web browser will then open a new window to provide users with a test page, confirming their secure connection originating from a different country.
It has recently come to our attention that this software is being recommended and circulated among Syrian Internet users for bypassing censorship in their country. This information led to the discovery and analysis of a back-doored version of this software.
The malicious copy will install the Simurgh software, but will also install an undesirable backdoor on the victim’s computer. This software is distributed as “Simurgh-setup.zip” and is identifiable via the following md5 and sha256 hashes:
When you unzip this file you are presented with Simurgh-setup.exe
The installer from the most recent legitimate version of Simurgh looks like this:
Executing the malicious version starts an installation dialogue which looks like this:
In addition to creating a copy of Simurgh in:
The malicious GUI installer drops 4 binaries in C:\windows\system32\drivers:
MSINET.OCX – 73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31
richtx32.ocx – 318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5
shdocvw.dll – fdae6764d190bf265dbc2df352174ccdcc97b1680545e348f1ee1111b0808693
lsass.exe – 9320d247dd94f610f31037df8eda75fe79991f126d2e55d35a9532d09ff79896
The first three files are legitimate Microsoft system files which appear to be dependencies of the fourth, ‘lsass.exe’. This file is VB6 native code and is installed as an implant to allow persistent access to the victim’s computer and to provide data exfiltration capabilities.
As part of the installation the following registry entry is written which ensures the running of the Trojan on logon:
HKLM\software\microsoft\windows nt\currentversion\winlogon\shell explorer.exe C:\WINDOWS\system32\drivers\lsass.exe REG_SZ 0
On startup, ‘lsass.exe’ deletes ‘C:\WINDOWS\Media\Windows XP Start.wav’. This file is the ‘navigation’ sound in Explorer, IE, and other applications based on a common set of controls. Since ‘lsass.exe’ uses several of these controls, this is presumably done to prevent ‘clicking’ sounds during the operation of the implant. However, this will also lead to a lack of navigation sounds in other applications, where they would be expected.
These act as basic HTML templates for data mined from the victim’s system (such as keystrokes). Processing of ‘win.txt’ renames it to ‘upl.htm’ which is then sent via HTTP post request to a remote site registered with a Saudi Arabian ISP.
If this Trojan is found to be installed on a computer one must consider all online accounts (E-mail, banking, etc.) to have been compromised and it is advised that all online passwords be changed as soon as possible. While this Trojan is detected by most anti-virus software as malicious, AV software cannot always be guaranteed to clean up an infected system and a full re-install is suggested.
This Trojan has been specifically crafted to target people attempting to evade government censorship. Given the intended purpose of this software, users must be very careful if they have been infected by this Trojan. Additionally, they should be cautious about installing software, especially circumvention software, from untrusted sources. Where possible, software should be downloaded from trusted official websites over HTTPS. If checksums or cryptographic signatures are provided by the software vendor, these should be checked prior to installation.
Morgan Marquis-Boire is a security researcher and Technical Advisor at the Citizen Lab, Munk School of Global Affairs, University of Toronto. He works as a Security Engineer at Google specializing in Incident Response, Forensics and Malware Analysis. Recently, he has been working with the Electronic Frontier Foundation on issues surrounding dissident suppression in Syria.