The Syrian spyware to target the opposition activists

CNN News reported about malicious programs used to target the Syrian opposition, Its a computer viruses that spy on them and according to report a Syrian opposition group and a former international aid worker whose computer was infected. They steal the identities of opposition activists, then impersonate them in online chats, then they gain the trust of other users, pass out Trojan horse viruses and encourage people to open them.

Security Researcher in the Malware Detection Team (MDT) at Norman analyse the packages and found that there are two malicious programs, one which displays message about downloading a free security program, and one which showed no action when executed. He said that Most of the ones we’ve seen come as selfextracting RAR executables that extract a malicious program.

The malicious programs have been Visual Basic executables that primarily are downloaders and keyloggers  they download an encrypted update from a site in Syria (216.6.0.28). Some contain the internal string “Love Maker” and “mero” and one contains an innocent MAC address changer application, according to Norman.

Once on the victim's computer, the malware sends information out to third parties. Vikram Thakur, principal security response manager at Symantec Corporation has dubbed the simpler virus "backdoor.breut." - It was the more complex virus that the former aid worker unwittingly downloaded during a chat. Backdoor.breut attempts to give the hacker remote control of the victim's computer, according to the analysis. It steals passwords and system information, downloads new programs, guides internal processes, logs keystrokes and takes shots with the webcam.

This virus sends the information it pillages from infected computers to the IP address: 216.6.0.28 . "We checked the IP address that our engineer referenced and can confirm that it belongs to the STE (Syrian Telecommunications Establishment)," a Symantec representative wrote to CNN. The STE is the government telecommunications company. Its not clear that STE is behind this or not !

Update : According to Recent Analyse by Malware Researchers , Darkcomet RAT (Remote Administration Tool) version was 3.3 was Injected in SFX (SelF-eXtracting) archives as 1122333.exe injects this binary program into the Windows process "svchost.exe". This Syrian malware use "#KCMDDC2#-" as Darkcomet Key.

Update : The regime is using the DarkComet RAT (called Backdoor:Win32/Fynloski.A by Microsoft) to spy on their own people.The creator of the DarkComet RAT was disgusted by that behaviour and now has retaliated with a specially created tool to detect and remove his own DarkComet RAT to help the oppressed Syrian people, DarkComet RAT Remover. Click here to Read.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.