Popular Iranian proxy software found to include Trojan that reports user data

Tags: Cyber crime,  Iran,  Malware,  Syria

Anti-censorship software compromised with spywareA compromised version of the Simurgh proxy has been sending user data to a remote site registered with a Saudi ISP.
By Mark SuttonPublished June 3, 2012

A popular web proxy in use by Iranians and Syrians to bypass web censorship has been compromised, according researchers at the University of Toronto.

The Iranian-developed Simurgh standalone proxy, has been widely used in Iran to bypass web censorship and to allow the user to browse anonymously, but in compromised versions downloaded from the 4Shared file sharing service, an additional Trojan has been added to steal user data.

Security researcher Morgan Marquis-Boire, wrote in a blog post: “This Trojan has been specifically crafted to target people attempting to evade government censorship. Given the intended purpose of this software, users must be very careful if they have been infected by this Trojan”

The university researchers discovered the back door after making a closer examination of Simurgh as it has been growing in popularity among Syrians. The Trojan includes a keystroke logger, and appears to be sending data via HTTP post request to a remote site registered with a Saudi Arabian ISP.

Researchers say most anti-virus software should detect the Trojan, but if a user does detect an infection, they should assume that any sensitive data and accounts accessed via that PC may have been compromised and users should change passwords. The Simurgh website is also warning users to check their PCs.