Last week, EFF reported on two instances of pro-Syrian-government malware targeting Syrian activists through links sent in chats and emails. This week, we've seen new Windows malware dropped by a fake YouTube site hosting Syrian opposition videos.
Below is a screenshot of the fake YouTube page, which attacks users in two ways: it requires you to enter your YouTube login credentials in order to leave comments, and it installs malware disguised as an Adobe Flash Player update.
This phishing site has been taken down, but if you encounter a similar page do not enter your YouTube login credentials to comment. If you have already logged in to the site (or a similar site) to leave a comment follow the steps outlined below to see if your computer has been infected, and change your YouTube and Gmail passwords from an uninfected computer immediately. You may also wish to take some additional steps to make sure that your Gmail account is secure, including enabling 2-factor authentication and checking to see if any suspicious forwarding addresses or delegated accounts have been added to your account.
If you encounter a similar page do not click "Install" to update Flash. Clicking "Install" drops a file called setup.exe. This is a .NET file and .NET is required to run it. Once it is installed, the dropper connects back to an address in Syrian IP space and downloads additional malware, which gives the attacker administrative access to your computer.
To see if you have been infected, look for the following files:
These files are "system files" and will not be visible by default. To change your settings to make system files visible in Windows 7, Start-->Control Panel-->Appearance and Personalization-->Show hidden files and folders, then select the radio button called Show Hidden Files, Folders, and Drives. Remove the checkbox labeled "Hide extensions for known file types." Remove the checkbox labeled "Hide protected operating system files."
C:\Documents and Settings\Administrator\Local Settings\Temp\sysglobl.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mscordbc.exe
On Windows 7 systems, you can find them here:
You can see both files in the screenshot below:
What do do if your computer is infected:
If your computer is infected, deleting the above files does not guarantee that your computer will be safe or secure. This attack eventually gives an attacker the ability to execute arbitrary code on the infected computer. There is no guarantee that the attacker has not installed additional malicious software while in control of the machine. The safest course of action is to re-install the operating system on your computer and change all passwords to accounts you may have logged into while the computer was infected.
EFF is deeply concerned about this pattern of pro-government malware targeting online activists in authoritarian regimes. We will continue to keep a close eye on future developments in this area.