Iranian Anti-Censorship Software Laced with Malware

Software used by Iranian citizens to access the uncensored Internet anonymously has now been revealed to carry malware. Even worse, it carries a variant of malicious software that tracks everything any user types into an infected computer.

The dangerous software is named Simurgh, after a mythical creature in Iranian folklore. The software is thought to help Internet users combat harsh government controls and shield users from being located and identified.

Software Hides Identity of User From Watchers

The software is mostly used by Iranians to hide their identity. Users believe it creates difficulties for officials trying to detect or prove that a particular person has visited a particular site.

The software is also thought to act as a proxy, fooling anyone who tries tracking the computer's activity into thinking the user is based in another country.

Together, these two capabilities supposedly make it easier for a user to circumvent blocking and monitoring tools designed to thwart Iranian access to controversial sites, such as those criticizing the Iranian government.

The Simurgh software has become extremely popular because it uses less than 1 megabyte (MB) of hard drive space, making it quick to download even on a slow dial-up connection.

In addition, Simurgh doesn't need to be permanently installed on a computer: it can be carried on a USB memory stick and used on any compatible computer, such as the rentals made available in Internet cafes.

Bogus Simurgh Software Houses Keylogger

Researchers at the University of Toronto have now discovered that at least one version of Simurgh contains an unsuspected bonus feature: a secret keylogger, which automatically makes a copy of everything a user types into the computer running the software.

Simurgh not only copies this information, it secretly sends it to a website that is registered with an Internet service provider in Saudi Arabia. (Source: citizenlab.org)

There are two explanations for why someone has compromised the Simurgh software in this way:

The most likely possibility is that someone is simply trying to acquire log-in details and passwords associated with the credit cards and banking accounts of unsuspecting users in Iran.

The second -- and more dangerous -- possibility is someone placed the keylogger in the software to help the Iranian government track the online activities of its political opponents. If this is so, their lives may be in danger.