Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Backdoor Found In Hacked Version of Anti-Censorship Tool Simurgh

timothy posted more than 2 years ago | from the so-how-do-you-trust-the-assurances? dept.

Censorship 32

wiredmikey writes "Simurgh, a privacy tool used in Iran and Syria to bypass Internet censorship and governmental monitoring, is being circulated with a backdoor. The compromised version has been offered on P2P networks and via web searches. Research conducted by CitizenLab.org has shown that the malicious version isn't available from the original software source, only through third-party access, so it appears that Simurgh has been repackaged. The troubling aspect of the malicious version is that while it does install the proxy as expected, it then adds a keylogging component, and ships the recorded information off to a server hosted in the U.S. and registered to a person in Saudi Arabia. In response to this attack, the team that develops Simurgh has instituted a check that will warn the user if they are running a compromised version of the software. At present, it is unknown who developed the hijacked version of Simurgh, or why they did so."

cancel ×

32 comments

Sorry! There are no comments related to the filter you selected.

Wow! (-1)

Anonymous Coward | more than 2 years ago | (#40168923)

About six months ago, I was overexerting myself trying to get rid of a terrible virus on a client's PC (I own a PC repair shop and have been fixing computers for over 10 years). Given my level of expertise, I thought I'd be able to get rid of it fairly quickly and without hassle, but as was made evident by my colossal failure, I was horribly, horribly wrong.

I couldn't remove the virus no matter what method I used. I tried all the latest anti-virus software and all the usual tricks, but it was all in vain. Failure after failure, my life was slowly being sucked away as I spent more and more of my time trying to get rid of this otherworldly virus.

Frustrated and stressed by my own failure, I began distancing myself from my wife and children. After a few days, I began verbally abusing them, and it eventually escalated into physical abuse. I was slowly losing what remaining sanity I had left. If this had continued for much longer, it is highly probable that I would have committed suicide. A mere shell of what I once was, I barricaded myself in my bedroom and cried myself to sleep for days on end.

That's when it happened: I found MyCleanPC [mycleanpc.com] ! I installed MyCleanPC [mycleanpc.com] right on the client's PC, ran a scan, and it immediately got rid of all the viruses without a single problem. MyCleanPC [mycleanpc.com] accomplished in record time what I was unable to accomplish after a full week. Wow! Such a thing!

MyCleanPC [mycleanpc.com] is outstanding! My client's computer is running faster than ever! I highly recommend you install MyCleanPC [mycleanpc.com] right this minuteness, run a scan, and then boost your PC speed in record time! MyCleanPC [mycleanpc.com] came through with flying colours where no one else could!

My client's response? "MyCleanPC [mycleanpc.com] totally cleaned up my system, and increased my speed!" All the PC repair professionals are using MyCleanPC [mycleanpc.com] to solve all of their problems. This should be reason enough for you to switch to MyCleanPC [mycleanpc.com] ! It'll speed up your computer, rid it of all viruses, and you'll be able to work productively again! Wow!

Even if you're not having any obvious computer problems, you could still be in danger. That's why I very highly recommend that you still use MyCleanPC [mycleanpc.com] . After all, it will boost your PC & internet speed to levels you never would think are possible!

MyCleanPC: For a Cleaner, Safer PC. [mycleanpc.com]

Re:Wow! (1)

Sulphur (1548251) | more than 2 years ago | (#40174703)

About six months ago, I was overexerting . . .

He thinks he's slashdotted too.

what the fuck happened to slashdot?? (-1)

Anonymous Coward | more than 2 years ago | (#40168971)

There save a time when saying HOT GRITS would almost get you a -1 before you saved the fucking message.

What the FUCK happened to slashdot?

fuck you anderson cooper.

Because... (-1)

Anonymous Coward | more than 2 years ago | (#40168975)

They wanted to log your FIRST POST! Duh...

Break the trust network (5, Informative)

girlintraining (1395911) | more than 2 years ago | (#40169055)

Censorship is ultimately about breaking trust networks. Pro-censorship governments almost always want the citizens to trust them above all other sources. Cryptography, anti-censorship proxies, and other communication mediums provide an external point of view. This is only dangerous to governments that aren't telling the truth -- in which case, their reaction to such communication mediums is from an understanding of how much that trust would be damaged if word got out about what they're really doing. What this means is, it's obvious that such a government would poison pill any alternatives by making them appear (or interfering with them in such as a way as to cause them) to be untrustworthy. The malware may or may not have been released by the government; It's doubtful we'll ever know the truth, but it is obviously in the government's best interests to damage the reliability of any kind of 'bypass' software.

Disclaimer: Many governments, including those who claim to be "free" engage in similar behavior. Your government is not exempt from this behavior.

Re:Break the trust network (1)

bughunter (10093) | more than 2 years ago | (#40169253)

The malware may or may not have been released by the government; It's doubtful we'll ever know the truth...

Well, if the keylogger sends its log to a server somewhere, perhaps there may be some useful evidence as to the authors' identity. I'm willing to wager that Citizen Lab and others are working on it now...

Re:Break the trust network (2)

localman57 (1340533) | more than 2 years ago | (#40169371)

perhaps there may be some useful evidence as to the authors' identity. I'm willing to wager that Citizen Lab and others are working on it now

Who cares, though, really? I mean, if the guy was in the US, I suppose you could prosecute him. Maybe. But in the grand scheme of things, it's pretty clear that Assad is using artillery against civilians on a regular basis, and the Green movement was put down in Iran by force. Given the international response we've seen for these things (I'm not implying that there was a clear course of action to take, just that there was a lot of inaction), who's gonna give a shit about a keylogger?

Obviously, this is Slashdot, and people enjoy thinking through the technical aspect of these things--how to solve the mystery. But even if you solve it, the solution isn't worth much, I'm afraid.

Re:Break the trust network (1)

idontgno (624372) | more than 2 years ago | (#40169579)

I suspect the security apparatuses of the countries you mentioned are working to catch the low-level under-the-table "sedition" with these monitoring tools so that they can prevent the next round of "artillery against civilians" and "put down by force".

Far more effective to squash nascent rebellion while it's still a whispered conspiracy than try to crush it after it flares into open conflict.

They're not fighting this war... they're fighting the next one. And, judging from the apparent ultimate destination of the keylogging, "they" aren't necessarily just Syria or Iran, but more likely Saudi Arabia or the Emirates. I suspect the rulership in those places are in perpetual low-level dread of any kind of internal dissent flaring into their own rendition of Arab Spring, and having this kind of monitoring capability in what would otherwise be a circumvention tool would go a long way towards easing that fear.

Re:Break the trust network (1)

localman57 (1340533) | more than 2 years ago | (#40169695)

I think you're missing my point. Detecting that the tool is compromised is a good thing. I agree with you. It's important that people know it's compromised. But Trying very hard to figure out who did it isn't worth the effort, because it likely will just point back to the bad guys in the first place, who you already know are bad, and against whom you're already doing everything you think is practical. Or, alternatively, they're people like the Saudis, who you'll pretty much give a pass to anyway, because you like them better than whomever you think likely to replace them.

Re:Break the trust network (1)

budgenator (254554) | more than 2 years ago | (#40171411)

Too bad we don't know the address of the server receiving the keylogger data, I mean if their intention is to collect data, I'm sure I could send them a couple GB, with just a simple Perl script [slashdot.org]

Re:Break the trust network (2)

cheekyjohnson (1873388) | more than 2 years ago | (#40169341)

Your government is not exempt from this behavior.

But... land of the free! My government would never abuse its citizens! That's why censorship, the TSA, warrantless wiretapping, questionable wars, indefinite detainment, and torture are all perfectly acceptable. If they claim doing those will stop the terrorists or protect the children, of course.

Re:Break the trust network (0)

Anonymous Coward | more than 2 years ago | (#40169511)

But there is no censorship! I can write that [censored] is [censored] as much as I want and no one will stop me!

Re:Break the trust network (1)

Alex Belits (437) | more than 2 years ago | (#40172141)

Censorship is ultimately about breaking trust networks.

Censorship only applies to public communications, and its goal is preventing the spread of propaganda.

Personal communications at this point are completely irrelevant because anyone who has enough brain to hide anything important, uses encryption and secure authentication.

Mr. Potato Head! (2)

Lucas123 (935744) | more than 2 years ago | (#40169109)

Mister Potato Head! Back doors are not secrets!

Re:Mr. Potato Head! (0)

Anonymous Coward | more than 2 years ago | (#40169231)

you sir, win.

Re:Mr. Potato Head! (1)

DNS-and-BIND (461968) | more than 2 years ago | (#40170031)

The fact that back doors exist are not secrets. What's secret is the back door itself. Hell, part of the damn plot of the damn movie was the kid trying to figure out what the back door was!

It just goes to show you, only download from the original source, and be one of those people who actually checks software checksums.

Pffft !! (1)

fustakrakich (1673220) | more than 2 years ago | (#40169183)

A backdoor was found in the 787 [chipsecurity.org]

Re:Pffft !! (3, Informative)

John Hasler (414242) | more than 2 years ago | (#40169319)

That's bullshit. The Register [theregister.co.uk]

Re:Pffft !! (1)

rtfa-troll (1340807) | more than 2 years ago | (#40170801)

And that's bullshit; as has been discussed on here a day or so ago. This is not an accidentally left debugging backdoor. There was a separate; openly disclosed (but proprietary and controlled) debugging system via the JTAG connections. That had one specific limitation; that you couldn't use it to read out a crypto key from the chip. There was a very carefully hidden way to break that security which the person who put it there would be pretty sure would not be discovered. They even went to the effort to protect it against differential power analysis, the strongest previously published attack on such circuits, something that would be completely pointless in a debugging circuit you planned to remove in the production system.

Please go back and read the original paper carefully. It even made it completely clear that the most likely source for the backdoor was the original design from the USA. The Register is just wrong here.

Predictable (1)

bughunter (10093) | more than 2 years ago | (#40169185)

Given the authoritarian control and censorship modern governments seem to be intent on imposing on the internet, this news should not surprise anyone.

What does surprise me, only slightly, is how obvious the execution of this trojan version. I'm not trying to diminish Morgan Marquis-Boire's contribution to the international community; we owe people like him our gratitude and admiration. I just would have expected slightly better kung fu from a government censor... maybe I'm giving them too much credit.

Kudos to the teams at Citizen Lab and Simurgh for reacting quickly, and hopefully minimizing the casualties caused by this trojan.

very strange (1)

slashmydots (2189826) | more than 2 years ago | (#40169391)

server hosted in the U.S. and registered to a person in Saudi Arabia

Wow, there's something you don't see every day. Usually it's exactly the opposite. Someone's got to have some serious balls and a serious lack of brains to host a malware control type server in the US!

Re:very strange (1)

BlackSnake112 (912158) | more than 2 years ago | (#40169433)

I thought there were many servers (a lot in CA) that are merely in the US for foreign people. Since they had a US IP they were not blocked even though they are pushing the same crap as their foreign counterparts.

or why they did so." (1)

wganz (113345) | more than 2 years ago | (#40169603)

Seriously, do you have to ask or are you that naive?

How's that work? (1)

Just Some Guy (3352) | more than 2 years ago | (#40170143)

In response to this attack, the team that develops Simurgh has instituted a check that will warn the user if they are running a compromised version of the software

Ummm, and an attacker would be unable to modify the verifyIntegrity() function to return "I'm perfectly OK!"?

We all know why (1)

artisteeternite (638994) | more than 2 years ago | (#40170293)

"At present, it is unknown who developed the hijacked version of Simurgh, or why they did so."

The obvious answer would be that it was created to spy on dissidents and the like.

Re:We all know why (1)

Mashiki (184564) | more than 2 years ago | (#40172961)

Well considering that it's being funneled to Saudi Arabia, my guess is. Is someone is, or a group of people are working as a group of brokers tipping off governments to various underground workings so they can pounce on them. The other possibility is, that Saudi Arabia(or one of the myriad of princes) authorized this in order to bolster the relations between the kingdom, and various arab countries.

Or it's someone who wants to be paid for information. Infobrokers are real after all, and information does sell well, especially if you have the ethics of a rat carrying the plague.

Of course! (1)

Alex Belits (437) | more than 2 years ago | (#40172013)

CIA must know what political movements to hijack, and whom to blackmail!

Unknown? (1)

JCCyC (179760) | more than 2 years ago | (#40172277)

"it is unknown ... why they did so"

No, really?

this is one time we actually need the government (0)

Anonymous Coward | more than 2 years ago | (#40174045)

They should be tracking down who bought the server space and follow their physical movements, who they are, who they know, and who they work for. Instead they're hunting down file sharers, idiots.

Backdoor In Hacked Version of Anti-Censorship Tool (1)

dgharmon (2564621) | more than 2 years ago | (#40174441)

Well - DOH !!!

A snippet of code please... (1)

Blinkin1200 (917437) | more than 2 years ago | (#40175687)

if anyone can provide a snippet of code to upload to the logging server, I would be willing to upload a manual or two, or maybe even a video. I could even share my latest copy of Fedora or Ubuntu with them since everyone knows Linux is best. Then again if the stuff is going over seas I should check the export restrictions. We can all help populate the logging server.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>