Iranian anti-censorship tool laced with spy malware

An Iranian woman surfs the internet at a cyber cafe in central Tehran (AFP Photo/Atta Kenare)
A popular Iranian tool used to dodge state censorship turns out to have a hidden code, which records every window click and keystroke and forwards it to a Saudi Arabian-registered server.

The Simurgh program is a lightweight proxy tool, which hides an internet user’s location and makes him or her appear to reside in a different country. It is popular among Iranian liberal youth to hide their identity and access pages, which are otherwise not available in the Islamic Republic due to state restrictions.

However, apparently the program’s popularity drew unwanted attention. Unknown criminals added malicious code to the original and distributed the fraudulent version through file-sharing sites.

The malware implanted into Simurgh is logging users’ online activity, reports website. It records every mouse click and keystroke, as well as some details about the computer running the program and sends the data to a server located in the US. The server appears to be registered to an entity in Saudi Arabia.

The malware is nowhere near in its complexity to the infamous Flame virus, which made headlines recently. Such keyloggers are often used by cyber criminals to steal their victims’ personal data, like credit card numbers or bank account passwords. The fact that most popular anti-virus tools can detect and quarantine the malicious code indicates the low level of the people behind it.

The producer of the original Simurgh tool is now notifying users about the malicious version of their software through their website. The program now also checks for possible security compromise when it is launched and puts up a warning in a splash window, if the malware is detected.