U.S. antivirus experts say a virus is sending information to a server in Syria
Activists: Regime supporters are stealing oppositionists' online identities'
Imposters use stolen identities to pass the viruses to activists, opposition claims
Antivirus software may not yet optimally protect against the new viruses
In Syria’s cyberwar, the regime’s supporters have deployed a new weapon against opposition activists – computer viruses that spy on them, according to an IT specialist from a Syrian opposition group and a former international aid worker whose computer was infected.
A U.S.-based antivirus software maker, which analyzed one of the viruses at CNN’s request, said that it was recently written for a specific cyberespionage campaign and that it passes information it robs from computers to a server at a government-owned telecommunications company in Syria.
Supporters of dictator Bashar al-Assad first steal the identities of opposition activists, then impersonate them in online chats, said software engineer Dlshad Othman. They gain the trust of other users, pass out Trojan horse viruses and encourage people to open them.
Once on the victim’s computer, the malware sends information out to third parties.
Othman is an IT security “go-to-guy” for opposition activists. He resides outside of Syria for his own safety.
Since December, he has heard from dozens of opposition members who say their computers were infected. Two of them recently passed actual viruses to Othman and a colleague with whom he works. They checked them out.
“We have two malwares – first one is really complex,” Othman said via Skype chat. “It can hide itself more.”
The U.S. analysis of one of the viruses – the simpler one – would appear to corroborate the time of its launch around the start of the year.
The virus has two parts, said Vikram Thakur, principal security response manager at Symantec Corporation, known to consumers for its Norton antivirus software. He said one of them points to December 6 and the other to January 16.
Thakur has dubbed the simpler virus “backdoor.breut.”
It was the more complex virus that the former aid worker unwittingly downloaded during a chat. Since she travels to Syria, she has requested that CNN not name her for security reasons and instead refer to her as “Susan.”
To get a picture of the humanitarian needs on the ground in Syria, “Susan” contacted opposition members via the Internet. In January, she received a call via Skype from someone she believed was a regime opponent.
It was an imposter and a regime supporter, she claims.
“They called me actually and pretended that it’s him – this activist that I didn’t know, because I’d been talking to him only two times and only in writing.”
Days later, other opposition members told Susan and Othman that the activist she thought she had spoken with was in detention. Activists accuse government forces of coercing him to reveal his user name and identity and of then going online to impersonate him.
Othman says additional activists, who say they were detained and released, tell of being forced to turn over their passwords to Syrian authorities.
CNN cannot independently confirm the accusations, because the Syrian government strictly limits international media coverage within its borders.
Calls for Syrian government comment to a spokeswoman for al-Assad on Friday were not answered or did not go through. Friday is the weekly special day of prayer in the Muslim world.
The man chatting with Susan via Skype passed her a file. She recalled what he said to her to coax her to open it: “This makes sure that when you’re talking to me, it’s really me talking to you and not somebody else.”
She clicked on the file. “It actually didn’t do anything,” she said in a baffled tone. “I didn’t notice any change at all.”
No graphics launched; no pop-up opened to announce to the user that the virus was being downloaded. The link appeared to be dead or defected, said Othman.
The second virus, backdoor.breut, which was e-mailed to him by an activist inside Syria for analysis, launched the same way. “Download, open, then nothing,” Othman said.
It contains a fake Facebook logo and was passed off in a chat room as a Facebook security update, he said.
At CNN’s request, Othman forwarded that virus to an IT security expert in California for an independent analysis.
Othman removed the more complex malware on Susan’s computer but made an image of the infected hard drive beforehand. At more than 250 GB, it would have to be sent on an external hard drive by regular post – snail mail – for any independent scrutiny.
The U.S. expert confirmed the invisible nature of the backdoor.breut Trojan horse download.
“Nothing would actually show up,” said Thakur. “The only thing that the Trojan actually does – it copies itself into one of the temporary locations, but that would not be visible to the regular user.”
The malware launches when the user reboots the computer.
The Syrian cyberactivist and the California IT security manager pointed out that the lack of fanfare during download helps to conceal the viruses from their victims.
“Most of them will say ‘it’s a damaged file,’ and they will forget about it,” Othman said.
Susan did just that.
She was not aware she had been hacked until she lost her Facebook and e-mail accounts a few days after clicking on the file.
“I didn’t click on any kind of new link or something, so they must have known about the password,” she said, referring to the loss of her Facebook account.
She handed over her laptop to Othman and his colleague, who told her that the Trojan horse had logged her key strokes, taken screen shots, rummaged through her folders. It hid the IP address it sent its information to, Othman said.
Othman found a screen shot the Trojan horse took of Susan’s online banking home page. He told her to change all her passwords, Susan said.
“You don’t want your money to be stolen by some of the Syrian security guys,” she quipped.
The other virus – backdoor.breut – sends the information it pillages from infected computers to the IP address: 220.127.116.11 and does not hide this.
“We checked the IP address that our engineer referenced and can confirm that it belongs to the STE (Syrian Telecommunications Establishment),” a Symantec representative wrote to CNN. The STE is the government telecommunications company.
This does not necessarily mean that someone at STE is doing the hacking, Thakur stresses.
“Whether it’s a home user behind that or it’s actually a company or an organization, which has been allocated that IP address, we just have no insight from where we sit.”
But the Syrian government has access to all activity through that server “absolutely without any doubt,” Thakur said. Anyone not wanting the government to see what they are up to would not use that server.
Skilled Syrian opposition activists avoid government telecom servers when online.
The simple virus, backdoor.breut, acts like a bull in a china shop, Symantec’s Thakur said.
“It did not look like it was written by any sophisticated hacker,” he said after examining it. “It was just kind of put together – slapstick functionality.”
Simple malware is readily available for download on underground forums in the Internet. Hackers can repurpose it and hand it out. Othman believed the second software to be such an off-the-shelf product because of its amateurish construction, but the California expert disagrees.
“It’s not something that somebody just went out there, copied code from an Internet website and just pasted it in. It was definitely coded for its current purpose.”
The name “backdoor.breut” derives from the virus’ behavior.
“We sort of took the word ‘brute’ just because of what it was actually doing and kind of changed a couple of characters to b-r-e-u-t,” Thakur said.
“Brute – meaning that it is using brute force – it’s just going in smash-and-grab – I’m going to try to get anything that I can and get the hell out of there.”
Backdoor.breut attempts to give the hacker remote control of the victim’s computer, according to the analysis. It steals passwords and system information, downloads new programs, guides internal processes, logs keystrokes and takes shots with the webcam.
It also turns off antivirus notification, but that does not completely conceal it from detection. “Some of the good software can detect it in the same day,” Thakur said.
The nature of its use may make backdoor.breut and other new Syrian malware hard to defend against. Antivirus makers need to know the virus to be able to assign it a signature and make the file detectible to block the download, according to Thakur.
The more widely a new virus spreads around the world, the more likely it is to land on an antivirus maker’s radar. The smaller the region the virus is located in, the less likely virus vigilantes are to notice and combat it.
“Looking at this Trojan and the telemetry that we’ve gathered the last five or six days since we did the analysis, this is not targeting people across the complete globe. So, it could be days before some antiviruses actually create signatures for the file,” Thakur said.
More complex antivirus software can detect malware that does not yet have a signature, because of how it behaves after infecting the computer, Thakur said. If the antivirus does not have this ‘behavior’ component, it may not defend against a new virus “for a substantial amount of time.”
On a Facebook page named “Cyber Arabs,” Othman warns activists of the danger of downloading the virus and reminds users to keep their antivirus software updated.
Download.com, CNET’s software download website, offers antivirus software, some of which includes a “behavior” component and is free of charge.
But that is still no guarantee for not contracting a new Syrian cyberbug, “Susan” reminds.
“It was up-to-date,” she said. “The problem is that they sent me a … file, and I was totally stupid – like, it’s an EXE file – and I opened it.”
John Scott-Railton also contributed to this story.