Iranian anti-censorship software ‘Simurgh’ circulated with malicious backdoor (Updated)

May 25, 2012

Tagged: , , , ,

Categories: Morgan Marquis-Boire, Reports and Briefings

Download PDF version

Click here to read an update to the post. (Last updated: May 30)

Click here to read the post in Farsi.

Click here to read media coverage on this post.

Simurgh is an Iranian stand-alone proxy software for Microsoft Windows. It has been used mainly by Iranian users to bypass censorship since 2009. The downloadable file is less than 1 MB and can be downloaded within a reasonable amount of time even with a slow internet connection, which makes it convenient for many users in Iran. Simurgh runs without prior installation or administrator privileges on the computer and therefore, can be copied and used from a USB flash drive on any shared computer (i.e Internet cafes).

Simurgh is available for free download from its official website https://simurghesabz.net. After running the executable file, a user interface (see below) opens. When the user clicks “Start”, Simurgh will attempt to establish a secure connection. The web browser will then open a new window to provide users with a test page, confirming their secure connection originating from a different country.

It has recently come to our attention that this software is being recommended and circulated among Syrian Internet users for bypassing censorship in their country. This information led to the discovery and analysis of a back-doored version of this software.

The malicious copy will install the Simurgh software, but will also install an undesirable backdoor on the victim’s computer. This software is distributed as “Simurgh-setup.zip” and is identifiable via the following md5 and sha256 hashes:

5e2a714fdfc2309af843056e8c5ae7d3 Simurgh-setup.zip
9c1a238d87e3bad41708c2e98f753442a224ed9df994e1a34083b2bf336047e5 Simurgh-setup.zip

When you unzip this file you are presented with Simurgh-setup.exe

379480c807812f3521466f7ff5ffa273 Simurgh-setup.exe
e20438a4cf90b67dab613451cc5b3bc35256413461dafdfc35425429d8d478df Simurgh-setup.exe

The installer from the most recent legitimate version of Simurgh looks like this:

Executing the malicious version starts an installation dialogue which looks like this:

In addition to creating a copy of Simurgh in:

C:\Program Files\Simurgh\Simurgh.exe

The malicious GUI installer drops 4 binaries in C:\windows\system32\drivers:

MSINET.OCX – 73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31
richtx32.ocx – 318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5
shdocvw.dll – fdae6764d190bf265dbc2df352174ccdcc97b1680545e348f1ee1111b0808693
lsass.exe – 9320d247dd94f610f31037df8eda75fe79991f126d2e55d35a9532d09ff79896

The first three files are legitimate Microsoft system files which appear to be dependencies of the fourth, ‘lsass.exe’. This file is VB6 native code and is installed as an implant to allow persistent access to the victim’s computer and to provide data exfiltration capabilities.

As part of the installation the following registry entry is written which ensures the running of the Trojan on logon:

HKLM\software\microsoft\windows nt\currentversion\winlogon\shell explorer.exe C:\WINDOWS\system32\drivers\lsass.exe REG_SZ 0

On startup, ‘lsass.exe’ deletes ‘C:\WINDOWS\Media\Windows XP Start.wav’. This file is the ‘navigation’ sound in Explorer, IE, and other applications based on a common set of controls. Since ‘lsass.exe’ uses several of these controls, this is presumably done to prevent ‘clicking’ sounds during the operation of the implant. However, this will also lead to a lack of navigation sounds in other applications, where they would be expected.

In addition to ensuring persistence, ‘lsass.exe’ enumerates basic details of the system (IP address, hostname, victim username) and provides keylogging functionality. This binary contains three javascript files which are written out as the text files:

C:\WINDOWS\system32\win.txt
C:\WINDOWS\system32\1.txt
C:\WINDOWS\system32\2.txt

These act as basic HTML templates for data mined from the victim’s system (such as keystrokes). Processing of ‘win.txt’ renames it to ‘upl.htm’ which is then sent via HTTP post request to a remote site registered with a Saudi Arabian ISP.

If this Trojan is found to be installed on a computer one must consider all online accounts (E-mail, banking, etc.) to have been compromised and it is advised that all online passwords be changed as soon as possible. While this Trojan is detected by most anti-virus software as malicious, AV software cannot always be guaranteed to clean up an infected system and a full re-install is suggested.

This Trojan has been specifically crafted to target people attempting to evade government censorship. Given the intended purpose of this software, users must be very careful if they have been infected by this Trojan. Additionally, they should be cautious about installing software, especially circumvention software, from untrusted sources. Where possible, software should be downloaded from trusted official websites over HTTPS. If checksums or cryptographic signatures are provided by the software vendor, these should be checked prior to installation.


UPDATED: May 30, 2012

Since our report was published, the Simurgh team has taken several important steps to warn their users about this threat.

      1. The Simurgh team warns their users directly on the website https://simurghesabz.net/with a prominent message in Arabic, Farsi and English about the malicious versions of the software.  They post MD5 checksums of the official binaries and malicious packages, as well as instructions for how to check MD5 checksums against downloaded software.  If you use Simurgh you should immediately compare your installer against the checksums posted on the official site.

You can also find these checksums below:

Official binaries
– simurgh120.20100910.exe – 07855ead46bb15718ee73d513bdb9678
– simurgh120beta.20100326.exe – ddecf8ac6c96c148cc7c42183d25baa9

Malicious installer packages
– Simurgh-setup.zip – 5e2a714fdfc2309af843056e8c5ae7d3
– Simurgh-setup.exe – 379480c807812f3521466f7ff5ffa273
– Simurgh-setup.exe – 300b0d061dfb9c9c6d7bdeecc74169f1
– simurgh[homs-sin.ibda3.org].exe – c8c8817af66312cfcfcb1ddf952f9d98

    1. As Sophos has pointed out in a recent blog post on Naked Security http://nakedsecurity.sophos.com/2012/05/29/spying-trojan-targets-iranian-web-surfers-dissidents/, the splash page that loads when Simurgh is initialized to show the users’ IP has been configured to warn users who may be compromised.  If you see a warning you should immediately run an antivirus program to remove the software or for greater assurance, reinstall your operating system.

In addition to the steps Simurgh has taken, we have made outreach to and notified the provider that was hosting the malicious version of Simurgh and they have now taken down the malicious package.



Media coverage

About Morgan Marquis-Boire

Morgan Marquis-Boire is a Technical Advisor at the Citizen Lab, Munk School of Global Affairs, University of Toronto. He works as a Security Engineer at Google specializing in Incident Response, Forensics and Malware Analysis.

Bookmark and Share

10 Comments

  1. Posted May 25, 2012 at 8:51 pm | Permalink

    The site is blocked in my country and I could not look up

  2. MAH
    Posted May 26, 2012 at 12:39 am | Permalink

    Thank you very much for the heads-up.

  3. Posted May 26, 2012 at 8:11 am | Permalink

    Simurgh is just puff which is just an ssh tunnel to a server in california. a few issues I found:
    1. the ssl cert for the simgurgsabz site is invalid.
    2. the software has no signatures. authenticode or pgp would go far here.
    3. the site is running a remotely exploitable version of joomla. this entire site could be static html. there is no reason for php or joomla.
    4. the site relies on googleapis.com javascript for no apparent reason.
    5. the site uses google-analytics, thereby telling google and law enforcement (good or bad) about the user in detail and their entire browsing history.
    6. simurgh is just an ssh vpn, with the private keys inside the software. the whole setup is trivial to break. esp for a govt like iran.

    Dumb users get what they deserve. Dumb developers should not be writing software for hostile interwebs.

  4. Posted May 26, 2012 at 5:03 pm | Permalink

    i like simurgh

  5. parwiz
    Posted May 27, 2012 at 10:00 am | Permalink

    we neead better and and more secure.and faster.
    in this time i must run first freegate 7.29 and than simorg.simorgh is filtered.
    if it is ossible then mail me (send me) a beter version.
    thanks
    mainy

  6. Posted May 27, 2012 at 12:57 pm | Permalink

    Where did you find this infected file? This is a very important to help find the actual actors behind such activities.

    Is there a C&C involved if so, what about information on that?

  7. DoctorWho
    Posted May 31, 2012 at 5:37 am | Permalink

    Is there any information about who invented that malicious backdoor version?

  8. Karim
    Posted June 11, 2012 at 2:37 am | Permalink

    just if they stop blocking sites we stop using backdoor applications

  9. Posted August 3, 2013 at 2:43 pm | Permalink

    I cant access to facebook in iran please help me

  10. saleh mozaffari
    Posted August 23, 2013 at 7:12 am | Permalink

    I’m using Windows XP , sometimes simurgh works perfectly and sometimes it gives me an error message says SYSTEM ERROR – PLONK.exe what is the solution please, is there any other programs i should install to make simurgh works correctly because i noticed that when i download Net frame work and windows imaging component it worked so is it related, what are the requirements please?>??

38 Trackbacks

  1. […] A team at the University of Toronto said installation software for the popular proxy tool Simurgh also implanted keylogging spyware. […]

  2. […] Web users in Iran and Syria attempting to use a proxy tool to freely surf the Internet are reportedly being tracked by a new Trojan. […]

  3. […] A team at the University of Toronto said installation software for the popular proxy tool Simurgh also implanted keylogging spyware. […]

  4. […] A team at the University of Toronto said installation software for the popular proxy tool Simurgh also implanted keylogging spyware. […]

  5. […] The real software works as a standalone tool that can be run off a USB stick at locations such as cybercafes and other public internet access points. By contrast, the Trojanised version requires installation on a client PC. Thereafter, the software tracks user activities including keystrokes and websites visited. This data is then uploaded to US-based servers registered to a Saudi Arabian organisation, human rights activist group CitizenLab.org says. […]

  6. […] de la Universidad de Toronto ha descubierto que circula una versión de del proxy Simurgh que ha sido alterado para capturar datos de la actividad de los usuarios que lo […]

  7. […] in their country, » said Citizen Lab technical advisor Morgan Marquis-Boire in a blog post on Friday. « This information led to the discovery and analysis of a back-doored version […]

  8. […] de la Universidad de Toronto ha descubierto que circula una versión de del proxy Simurgh que ha sido alterado para capturar datos de la actividad de los usuarios que lo utilicen.Simurgh es un proxy con bastantes usuarios en “zonas calientes” como […]

  9. […] A team at the University of Toronto said installation software for the popular proxy tool Simurgh also implanted keylogging spyware. […]

  10. […] de la Universidad de Toronto ha descubierto que circula una versión de del proxy Simurgh que ha sido alterado para capturar datos de la actividad de los usuarios que lo […]

  11. […] de la Universidad de Toronto ha descubierto que circula una versión de del proxy Simurgh que ha sido alterado para capturar datos de la actividad de los usuarios que lo […]

  12. […] de la Universidad de Toronto ha descubierto que circula una versión de del proxy Simurgh que ha sido alterado para capturar datos de la actividad de los usuarios que lo […]

  13. […] de la Universidad de Toronto ha descubierto que circula una versión de del proxy Simurgh que ha sido alterado para capturar datos de la actividad de los usuarios que lo […]

  14. […] A team at the University of Toronto said installation software for the popular proxy tool Simurgh also implanted keylogging spyware. […]

  15. […] de la Universidad de Toronto ha descubierto que circula una versión de del proxy Simurgh que ha sido alterado para capturar datos de la actividad de los usuarios que lo […]

  16. […] de la Universidad de Toronto ha descubierto que circula una versión de del proxy Simurgh que ha sido alterado para capturar datos de la actividad de los usuarios que lo […]

  17. […] The real software works as a standalone tool that can be run off a USB stick at locations such as cybercafes and other public internet access points. By contrast, the Trojanised version requires installation on a client PC. Thereafter, the software tracks user activities including keystrokes and websites visited. This data is then uploaded to US-based servers registered to a Saudi Arabian organisation, human rights activist group CitizenLab.org says. […]

  18. […] Zensursysteme auf Softwarebasis lassen sich oft ihrerseits mit Software umgehen. Was aber ist, wenn das Anti-Zensursystem selbst zum Überwachungssystem wird? Das sei mit einem im Nahen Osten häufig eingesetzten Anti-Zensurprogramm geschehen, berichtet Morgan Marquis-Boire vom Citizen Lab der Universität von Toronto. […]

  19. […] censorship in their country,” said Citizen Lab technical adviser Morgan Marquis-Boire in a blog post on Friday. “This information led to the discovery and analysis of a back-doored version of […]

  20. […] A team at the University of Toronto said installation software for the popular proxy tool Simurgh also implanted keylogging spyware. […]

  21. By Feedback Blowout #1 | Jupiter Broadcasting on May 31, 2012 at 8:53 pm

    […] Anti censorship application circulating with backdoor keylogger […]

  22. […] censorship efforts, is also being used to install spyware aimed at Iranian and Syrian Web users. A team at the University of Toronto said installation software for Simurgh also installs keylogging spyware. Simurgh, designed to make […]

  23. […] A team at the University of Toronto said installation software for the popular proxy tool Simurgh also implanted keylogging spyware. […]

  24. […] up with creative methods to trick computer users into downloading harmful viruses. On Wednesday, a report from The Citizen Lab (University of Toronto) shed light on a new method hackers were using to steal […]

  25. […] up with creative methods to trick computer users into downloading harmful viruses. On Wednesday, a report from The Citizen Lab (University of Toronto) shed light on a new method hackers were using to steal […]

  26. […] Web users in Iran and Syria attempting to use a proxy tool to freely surf the Internet are reportedly being tracked by a new Trojan. […]

  27. By PatrickBay.ca - on June 2, 2012 at 5:44 pm

    […] discovered to contain keylogging capabilities (the ability to capture and transmit keystrokes), by Toronto’s Citizen Lab. How’s that for irony? Simurgh is described by Citizen Lab as a stand-alone proxy software […]

  28. […] http://citizenlab.org/2012/05/iranian-anti-censorship-software-simurgh-circulated-with-malicious-bac… […]

  29. […] .. Morgan Marquis-Boire from CitizenLab.org discovered a tool used by Iranians to protect their privacy and by dissidents who fear oppression related to their […]

  30. […] A manipulated version of Simurgh with a back door allowing the theft of information from their computers, which is then forwarded to a remote site registered with an ISP in Saudi Arabia, has been distributed among a number of Iranian and Syrian users.  For further information read this report. […]

  31. […] Unter iranischen und syrischen Usern wurde jetzt eine manipulierte Version von Simurgh verbreitet, die über eine Hintertür Informationen von ihren Computern stehlen kann. Diese Informationen werden dann auf eine Remote-Site mit einer ISP in Saudi Arabien weitergeleitet. Mehr dazu gibt es in diesem Bericht. […]

  32. […] censorship in their country,” said Citizen Lab technical adviser Morgan Marquis-Boire in a blog post on Friday. “This information led to the discovery and analysis of a back-doored version of […]

  33. […] keylogger in simurgh (an Iranian proxy that has an icon that looks onionish) – found by some good old Toronto boys at UofT (Munk Citizen Lab) […]

  34. […] an important software used by the Iranian and Syrian Internet users to circumvent censorship has a malicious version, which plants backdoors in victims’ computers. […]

  35. […] of Toronto’s spy-busting Citizen Lab has raised the alarm on a new tool that is used against opposition sympathizers who try to secretly bypass government […]

  36. […] an important software used by the Iranian and Syrian Internet users to circumvent censorship has a malicious version, which plants backdoors in victims’ computers. […]

  37. […] at the University of Toronto found that some installation software for Simurgh is also installing keylogging spyware that sends […]

  38. By Netizen Report: Telecoms Edition | EthioLeaks on June 7, 2012 at 7:50 pm

    […] an critical program used by a Iranian and Syrian Internet users to by-pass censorship has a malicious version, that plants backdoors in victims’ computers. […]

Post a Comment

Your email is never shared. Required fields are marked *

*
*