Syrian Government Pushing Malware To Activists Via Skype

Bashar al-Assad’s government infects rebels’ computers with Remote Access Tools

Security company F-Secure has discovered the Syrian government has used Skype and social engineering to infect activist systems with surveillance tools.

Some time ago, the F-Secure lab received a hard drive with an image of a system for analysis. The system belonged to a Syrian activist. It contained a backdoor, sent from the account of another activist, but the latter was in custody at the time and could not possibly have been on Skype.

According to F-Secure, using Trojans and backdoors to spy on citizens has become a regular tactic for oppressive regimes.

Wolves in sheep’s clothing

The activist’s computer was infected during a Skype chat with who she thought was a fellow freedom fighter. “We received the hard drive from a source we cannot name. The user got suspicious when she realised that the person who she was chatting with couldn’t be available, as he was arrested before the conversation took place. Then she remembered she had received a file and became very worried,” Mikko Hypponen, chief research officer at F-Secure,  told TechWeekEurope.

The impersonator sent an application called MACAddressChanger.exe that was supposed to help avoid government surveillance. Instead, it spawned a file called silvia.exe, which, upon closer examination, turned out to be the “Xtreme RAT” backdoor.

website selling Xtreme RAT, available for €100, describes it as a tool that allows users to control their computer from anywhere in world. But Hypponen called it “a full-blown malicious Remote Access Tool”.

“It can watch the screen, log the keystrokes, turn on the microphone and webcam remotely and access the file system not just on the computer itself, but also files on any Local Area Network that user is logged on to. It can even get into shared files hosted on Dropbox.”

The backdoor called home to the IP address 216.6.0.28. This IP block belongs to the Syrian Telecommunications Establishment (STE), which reports to the government. “We believe the activist’s computer was specifically targeted,” said Hypponen.

Modern warfare

“We are seeing all governments using more technology and especially the oppressive governments. It’s quite easy to see why it’s happening, but it doesn’t cease to amaze me.

“If someone would have told me 10 years ago that by 2012 it will be commonplace for governments to create backdoors and Trojans and use them to spy both on their own people and other countries, create software that would target nuclear programs of other countries, I wouldn’t have believed it. It sounds like science fiction, but it’s exactly what we are seeing at the moment.”

However, Hypponen doesn’t see his company as a band of freedom fighters. “We don’t like governments using technology against their own citizens. And our customers expect to be fully protected against malware, even if it comes from their own government. But we do it on technical merit, there’s no political context.”

This was not the first attack of its kind to happen in Syria. In February, CNN posted a similar story, identifying another two types of malware that targeted Syrian activists, being spread through Skype and Facebook.

To avoid being monitored online, by governments or otherwise, F-Secure recommends keeping systems fully patched, and having firewall and antivirus on at all times. Running an executable that has been received through Skype is never a good idea, even if it really comes from a friend. And to avoid becoming the victim of social engineering, it pays to be careful. “If something doesn’t feel right, double-check it,” advises Hypponen.

Since the beginning of the Arab Spring, various groups have upped their use of social networking and technology to oppose governments. The Syrian government tries its best to keep up with the trends. Last year, it banned the use of iPhones to stop protesters from communicating and even cut off the Internet for a whole day.

Are you an expert on social networks? Take our quiz!