Syrian Dissidents Hit By Another Wave of Targeted State-Sponsored Attacks

Trailrunner7 writes "One of the attackers who has been targeting Syrian anti-government activists with malware and surveillance tools has returned and upped the ante with the use of the BlackShades RAT, a remote-access tool that gives him the ability to spy on victims machines through keylogging and screenshots. The original attacks against Syrian activists, who are working against the government's months-long violent crackdown, were using another RAT known as Xtreme RAT, with similar capabilities. That malware was being spread through a couple of different targeted attacks, including one in which activists were directed to YouTube videos and their account credentials were then stolen when they logged in to leave comments. That attack continued with the installation of the RAT, giving the attacker surreptitious access to the victims' machines, enabling him to monitor their activities online. Now, researchers say that at least one attacker who is known to be involved in these targeted attacks also is using the BlackShades RAT in a new set of attacks."

IT'S OKAY !! RUSSIA AND CHINA SAY SO !!

So relax, take it easy !!

Can't they

[Threni]

burn the Tails TOR distro to cd so it's read only. And do basic, common sense stuff like using disposable accounts to post publicly (signing content so people can trust the authenticity of the posts)?

Youtube?

[girlintraining]

I have to question the accuracy of this submission; If they're directed to YouTube and that is the source of the drive-by infection, then that means that everyone who uses YouTube globally would be vulnerable to this, not just Syrian dissidents. It would also require the cooperation of Google; Which in turn means this is tandamount to an admission that the US government is helping Syria track down it's political dissidents. Historically, we have invested a lot of intelligence resources to help those dissidents destabilize that government. It seems unlikely we'd reverse that trend now.

So it is more likely that either the Syrian government is hijacking requests destined for YouTube to its own servers via one of a dozen or so possible attack vectors (BGP poisoning, man in the middle attack, etc.), or the site is a lookalike that isn't YouTube.

So, which is it?

Re:Youtube?

[idontgno]

Proxying plus script injection could accomplish this effect without Google's complicity or any type of site spoofing.

where are you Anonymous?

[circletimessquare]

Do some good. Load those low orbit ion cannons, ddos the Syrian Govt's capacity.

Re:where are you Anonymous?

[Mashiki]

AHahaha...yeah the script kiddies. Oh sure. Yep they're out doing good stuff again. So anyway, I mean the rebels are out doing things like trying to get reporters killed too. But hey, whatever. Pallywood everywhere!

Re:where are you Anonymous?

[Dan541]

Oh yea, a bunch of foul mouth teenager with cmd.exe ping are going to save the day.

Re:where are you Anonymous?

We all know Israel just want to keep those dictators so it sent out her idiots to spread propaganda. Maybe you should read a few times he thinks, there is no proof. Landscape is changing quickly and those reporters are all trying to get to the most dangerous places. Do we say US army is trying to kill journalist even though they are those who kill the most journalists in the world!

Re:where are you Anonymous?

[Mashiki]

We all know Israel just want to keep those dictators so it sent out her idiots to spread propaganda. ....

That makes even less sense than what you usually see from the average Israel hater. So let me see if I get this straight, Israel, and in turn Jews, the most prosecuted religious and ethnic group that we've seen in the last 2000 years, has a vested interest in...oppressing themselves? Okay there. That's why in every defensive war they've ever fought, they've given up more than what they've gained in order to secure peace.

Yeah, just a few bricks short of a full load there.

Re:where are you Anonymous?

[Psyborgue]

So Israel, is supporing Assad you say? An ally of Iran and a state supporter of terrorist attacks against Israel (Hezbollah, among others)? Seems to be Israel has no reason at all to support Assad. Sure the rebels might exactly be friendly either, but they can hardly be worse. No matter who is in power, weapons are going to get smuggled into Lebanon. Sunni may not like Shiite, but they both hate the Jews and are willing to cooperate when convenient. Iran supplies and funds Hamas and other Sunni groups, for example, not just Hezbollah.

O RLY?

If you still believe in Syrian "dissidents", watch this.
https://www.youtube.com/watch?v=cGYTM9-DSEI#t=36m02s

Re:O RLY?

hurr the jews did it

it's getting to the point where you can predict the argument before even clicking the link

Re:O RLY?

[Dunbal]

Yah I love the part where he tries to drag "building 7" into it.

Re:O RLY?

it's getting to the point where you can predict the argument before even clicking the link

No, it has got to the point when lots of people are completely zombified by Western propaganda and are unwilling to even hear anything that contradicts it. And you are the perfect example.

Re:O RLY?

I think it's more like people like you are sick of Western propaganda and are willing to embrace anything that contradicts it, including greater falsehoods.

Re:O RLY?

I think it's more like people like you are sick of Western propaganda and are willing to embrace anything that contradicts it, including greater falsehoods.

OK, let's talk about the "falsehoods" in the video. If they are so obvious, it must be really simple to state them.

Re:O RLY?

I think I'm going to take a page from you and insinuate that they're falsehoods and demand that you prove me wrong.

Re:O RLY?

[Em+Adespoton]

I'm going to point out that this entire article is about luring people to view Youtube videos in an attempt to load a RAT onto their PC... Just saying.

Re:O RLY?

OK, let's talk about the "falsehoods" in the video. If they are so obvious, it must be really simple to state them

Poor NIST spent years working on their WTC7 invesgitation and associated report at great taxpayer expense. The least all ye conspiracy cracknuts could do is read the damn thing.. yea I know I know why waste your time on more government propoganda.

As to predicting the collapse of WTC7 a decision had been made earlier to abandon the building making no further attempts to try and save it. This meant all firefighters within the building would be pulling out. No life was in danger and enough firefighters had already died for one day. People were saying it would eventually collapse due to this fact and one of those statements made it to a reporter.

There were a number of things reported that day later found to be wrong or inaccurate due to communication breakdowns of various stripes. Media was far from the only victim. From 911 commission report even the vice president was mistakenly under impression commercial jets had already been shot down by military aircraft.

Re:O RLY?

A lot of the pro-assad propaganda is coming from israeli hasbara sources and israeli supporters for some reason. Israel really want to keep Assad where he is as he is fulling an important role for the survival of Israel. Unleash the arabs and west and israel loses control of the middle east.

Re:O RLY?

[Psyborgue]

The fuck are you on about? Assad supports Hezbollah and is an ally to Iran. Why on earth would Israel support Syria. If you want to know who IS supporting Syria, look to Iran, China, and Russia, and the latter two only because of oil from and weapons sales to Syria and Iran. It's in Israel's interests to back the rebels if anybody, but won't do so publicly because in the Arab world, if a Jew is on your side, you lose all credibility. As much has been said by the current administration in Israel. The rebels might not exactly be friendly to Israel, but it can't possibly get much worse than the current regieme in Syria.

tl;dr kill yourself

Why should I believe you?

This is a propaganda war as much as anything, and I don't have any evidence to believe either side.

Perhaps the Syrian government is not installing this software. Perhaps the activists are installing it to make the Syrian government look bad.

I have only an absence of evidence (impartially gathered and analysed), and that means I should believe no-one's conclusions.

Re:Why should I believe you?

man, we missed you in threads about OWS. you could have accused protesters of dressing up as police and pepper spraying their friends. where were you?

Re:Why should I believe you?

I'm sure some would, if they thought they could get away with it. They wouldn't be the first protesters to exaggerate their claims about police behavior. It's a shame, because there are some awful police and there are some excellent police - if you hate them all indiscriminately, you're going to end up with none of the latter.

Humans are conditioned from an early age to trust a uniform, whether physical or metaphorical. Once you've convinced everyone that you are what you say you are, you can get away with pretty much anything.

Re:Why should I believe you?

I'm not sure about this. I've been following Syria for awhile from many different news sources and the things I've seen I wish I could take back seeing.

After seeing their 5 year old kids mutilated in every possible way imaginable, in mass at that. I seriously doubt these guys care about what is running on their computers.

A year ago anonymous hacking into Syrian government websites was interesting, now it's not even a bleep on the radar in concerns for anyone who is watching much less the people involved.

If you really care go ahead and try and buy network access in Syria right now and setup a honeypot, maybe you have the time to care instead of speculating.

Re:Why should I believe you?

Why, pray tell, are you unable to gather any evidence?

Re:Why should I believe you?

[artor3]

Read the English-language Al Jazeera. They are a fantastic source for whenever you are worried that your views on the Middle East are being colored by Western propaganda.

Re:Why should I believe you?

Al Jazeera is a state owned news organization from Qatar, incidently Qatar was also the first to support NATO in Libya and they also called for the arab countries to send troops to syria. I'd say there goes your independent news source.

Re:Why should I believe you?

1) Most "news sources" are in fact re-publishers. It is very rare for people to be able to get unfettered access in hostile areas;

2) It seems clear that someone has recently been massacring groups of civilians. This is not the same as knowing who did it;

3) I don't need to set up a honeypot in order to disprove allegations about the Syrian government - it's the accusers who need to supply better proof;

4) It's true - I don't "care" much about security services of a random foreign government installing backdoors on activists' computers. Espionage and sabotage are surely the main duties of intelligence services, and Western governments appear to engage far more in this sort of thing than a creaky old dictatorship in the Middle East.

Re:Why should I believe you?

I am able to gather evidence in the form of accounts by a few activists.

I lack the resources to go into Syria and gather more evidence. No-one impartial and with the resources appears to have done so.

When the RIAA say "look, naughty IP address in our log!" you laugh them down. When the activist says "look, naughty IP address in our log!", how do you respond?

Re:Why should I believe you?

[ThatsNotPudding]

Read the English-language Al Jazeera [aljazeera.com]. They are a fantastic source for whenever you are worried that your views on the Middle East are being colored by Western propaganda.

When you need to have your spectrum re-tinted by Middle Eastern propaganda. Everyone has an agenda.

Re:Why should I believe you?

[flyingsquid]

This is a propaganda war as much as anything, and I don't have any evidence to believe either side.

Comments like this really, really piss me off. The thing is, you *do* have information, or rather, you have information if you want it. You have what the Syrian people do not have- free access to the internet- which means that you can go to Google News, type in something like "Syria Internet Surveillance" and in a second have all the information you want, and then think critically about what it all means. There are lots of articles about Syria spying on its citizens, there are dozens of articles about Western companies (including U.S. based companies like NetApp) selling Syria the equipment to monitor and censor the internet and cell phone messages. We have tons of information all telling the same story- Syria has gone to incredible lengths to monitor and censor its citizens' communication. That doesn't mean this story is true, but it does make these allegations credible.

Now, if you don't know anything about that, that's because of your own choices. You've made a choice not to be an informed citizen, and not to follow international news, and not to think critically. If you want to be uninformed, fine. You have that right. But don't go around being ignorant of the news and then pretending like you're far too clever to be taken in by propaganda.

An oppressive government

[nurb432]

oppresses its citizens..

news at *yawn* 6...

Good for them!

My (West European) country's media is abnormally giving almost daily coverage over the Syrian conflict. I understand that there are major geopolitical interests in the region and Syria happened to be in the wrong place at the wrong time (pun intended).

"Since the outbreak of the Somali Civil War in 1991 there has been no central government control over most of the country's territory.[2] The internationally recognized Transitional Federal Government controls only a small part of the country. Somalia has been characterized as a failed state and is one of the poorest and most violent states in the world." in http://en.wikipedia.org/wiki/Somalia

http://www.youtube.com/watch?v=BPkgkM-CtCo&feature=player_embedded

Syria is not the only place needing "humanitarian" attention, nor was Libia :)

Re:Good for them!

[WorBlux]

Somalia wasn't a failed state, it was a failure to create 8 states. It's a very tribal culture, and each tribe should just be recognized individually, imperial sensibilities be damned.

how not to help

I'm pretty sure that over the long run, the way to fight repressive regimes is NOT for a crapload of western consumers to keep buying computers that remove more and more control from the owner of that computer because we're too ignorant to run them ourselves. It too easily becomes impossible to run things like TOR or strongly encrypted anonymous communication or good steganography. (Does TOR even run on iOS?) The more people buy products like iPads and the new Windows tablets and locked down Android systems, the more I shudder to think about what that will mean for some people unfortunate enough to live with daily repression.

Those same tools that restrict what you can do with your own computer, are harmful to more than just COMPUTING freedom. They are harmful to freedom overall.

Sure, you say, right now you can still have your nice white box PC.... but tablets are predicted to be more than 50% of the entire market by 2015, and white box PCs are being locked down ever more. Sure, they NOW promise they wont' flip that bit to require signed "trusted" OSs... but just wait. The same tools you build now can be used for much worse purposes later.

I think ppls in the USA and Europe have had it too good for too long. We bitch about the state of things now, and some things that deserve to be bitched about... but the USA and EU authorities are not rounding up people en-mass and shooting them by the hundreds. (Yeah, I know some smartass will post an example of just that, but the point is, the SCALE of it is nothing like what's happening in Syria now, and the US and EU governments are not by and large focused on exterminating the people who disagree with them).

So go ahead, western consumers - keep buying systems that give you less and less control. When your own government becomes like that of Syria now, it'll be too late to reconsider what giving up control of your own computers really meant.

Re:how not to help

[Em+Adespoton]

Where were you during the debate about switching from standard transmission to automatic took place?

Re:how not to help

[Johann+Lau]

The fuck? What does that have to do with anything?

Re:how not to help

Well, I wasn't born yet probably. I only learned to drive in 2003.

Who are the good guys?

Do we have any way to really know for sure that the Syrian government are the bad guys here?
Why should we assume that the "dissidents" are preferable?

Re:Who are the good guys?

[Alex+Belits]

Because they work for CIA, the good guys!

Re:Who are the good guys?

[Em+Adespoton]

Do there have to be good guys? Can't all sides be bad?

Re:Who are the good guys?

Do we have any way to really know for sure that the Syrian government are the bad guys here? Why should we assume that the "dissidents" are preferable?

I guess the fact that a gov. is butchering their citizens makes them a bad guy. But, hey, I am guessing that you are with Iran, Russia, China, or North Korea?

Re:Who are the good guys?

This is a fantastic question, and indeed, the first question that ought to be asked in any discussion about Syria.

First of all, the idea that a revolution in a Muslim country would be anything even close to the Velvet revolution in Czechoslovakia (which resulted in Czech & Slovakia amicably separating) is one of the most inane assumptions anyone could make of Muslims. In Tunisia, where the Arab Spring started, this is what is going on today - from a country that was always assumed to be very Westernized, and far from Islamic, thanks partly to the efforts of its ex ruler Ben Ali. I'm no fan of Muammar Gadaffi, but in Libya, the way he was lynched pretty much demonstrated that those replacing him are no better than he was. In Egypt, the end of Mubarak has also meant an Islamic regime is on the verge of taking over that country, suppressing the Copts even more, and if they have their way, restarting their jihad against Israel. All the ignoramuses in the West who support these 'democratic' movements seem blissfully unmindful of the fact that these movements are also supported by al Qaeda. Reason is simple - what those people want is not political pluralism, and DEFINITELY NOT religious pluralism. What they want is Shariah states in their countries, and if there happen to be non Muslims there, to hell with them. Already, Christians have fled the newly US established 'democratic' Iraq for Syria, which they are now starting to flee for Lebanon. In Egypt and Tunisia too, Copts & Jews are getting ready to flee, if they haven't done so already. And if the Sunnis lose, retribution like the one by Gen Hafez al Assad in 1982 in Homs is likely to follow. So it's a struggle for survival for both sides.

The Arab League was pretty happy to support these 'democratic' movements in Tunisia, Libya and Egypt, but a funny thing happened in Bahrein. Since that country is 75% Shia, the Arab league, which now has only one Shia government in it - Iraq - doesn't want democracy there. So when the Arab Spring spread there, the Arab League was quick to propagandize that that actually was an Iranian attempt to take over the country via its Shia proxys, and the Saudis sent in troops to prevent their monarchy from collapsing.

In Syria, what the Arab League alleged about Bahrein is even more true about Syria - in the converse sense. This is not an 'Arab Spring' type revolution, like in Eypt, Libya and Tunisia (where Jihadi elements came to power). It is a power struggle between the Sunni majority in that country, backed by Saudi Arabia and Turkey, vs a non Sunni coalition of Alawites, Druze, Syrian Christians and others led by the Baath party, and backed by Iran and Hizbullah. In short, it is a civil war, where both sides have everything to lose. If the Alawites lose, they will be massacred - already, there have been reports of Syrian Christians, Alawites and Shia being driven

One way to avoid this

[techno-vampire]

I took a look at TFA, and saw exactly what I expected: the malware is specifically designed to attack computers running Windows. Now, I'll admit that that's reasonable, considering how big Microsoft's market share is, but it does lead to an interesting suggestion: get the dissidents to move to Linux, at least as dual-boot, and only use Linux for their political activities. Not because Linux is immune to malware, but because it's immune to the specific malware they need to be concerned about. And, if they're not comfortable with English, there's even a distro, Parsix, that can be installed in either English or Parsi.

Re:One way to avoid this

[unixisc]

Except that the people of Syria don't speak Farsi - not even the Shia or Alawites. Although there may be Arabic localization in some of the lead distros.

Re:One way to avoid this

[techno-vampire]

Yeah, I kinda figured that. However, the distro does come with the appropriate fonts by default, and the maintainers would probably see nothing wrong with adding an Arabic spin. The important thing, IMO, is getting them away from using a vulnerable OS for their political activities.

Not dissidents...

.... they're operatives of the US and Israel.

They've been caught killing civilians and blaming it on the Syrian government.

They've been caught making fake newscasts.

This is covert warfare, pure and simple.

Re:Not dissidents...

[couchslug]

Citations needed.

Targeted __WINDOWS__ attacks.

[couchslug]

Yes, it matters.

Even the US military "gets" that Windows machines at home aren't at all secure and offers this nifty distro. Free download, and if you are USian your taxes were actually spent well for a change:

http://www.spi.dod.mil/lipose.htm

How come there's no such hacker in Libya ?

[Taco+Cowboy]

Looks like the Syrian government is much more technically advanced than the one ran by the late Colonel Gaddafi in Libya

This is free too, no need to change OS

"Even the US military "gets" that Windows machines at home aren't at all secure and offers this nifty distro. Free download" - by couchslug (175151) on Wednesday June 20, @08:39PM (#40392757)

Windows is easily secured though - & yes, it doesn't come as 'security-hardened' as is possible, but that's the SAME as most ANY commercially available OS "for the masses" out there (inclusive of even SeLinux distros of Linux too)!

It's also EASILY DOABLE, and, with an EASY TO USE free tool (CIS Tool -> http://www.computerworld.com/s/article/9018362/CIS_tool_aims_to_help_federal_agencies_check_Windows_security_settings ).

That only takes a short while to use, and it actually makes it "fun-to-do" in a geeky kind of way using "best security practices", since it's more-or-less a "security benchmark" (like running a performance benchmark program almost)!

That, and doing a few more things ontop of CIS Tool's suggestions -> http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Search&gbv=1&sei=eQzjT766D6rZ0QHUi6WdAw

* Does it work? Absolutely...

Between:

---

A.) Conscientious patching of your Operating System + Programs you use
B.) Closing off unneeded listeners (services or otherwise) that solicit external connections that you don't really need to use
C.) Watching the indiscriminate use of ActiveX, java, javascript (especially where you do NOT really need them) + browser plugins
D.) Using up-to-date antivirus/antispyware programs + their signatures
E.) Firewalls rules tables (both hardware & software ones)
F.) Browser addons for security
G.) Custom hosts files (that block out known hosts-domains/sites-servers that serve up malicious software or malicious scripting)
H.) Service Isolation security-hardening
I.) Port filtering
J.) Registry hack based security tweaks
K.) IP security policies hardening & usage
L.) ACL security hardening (registry + filesystem)
M.) WebBrowser isolation techniques & sandboxing
N.) Using filtering DNS servers (Norton DNS/OpenDNS/ScrubIt DNS)
O.) Most importantly & lastly - Educating users where potential threats come from + how to avoid them...

---

?

Yes, you can be safe online... and the CIS tool I noted above earlier? It's multiplatform, highly rated by many, & easy to use (bonus) as well as "fun"...

APK

P.S.=> No need to switch to Linux really... now, I know, for a FACT, you're a "Pro-*NIX" Penguin couchslug, but not noting that Windows is securable & putting up a Linux variant on your part is just a dead giveaway to that fact also - especially when there's NO REAL NEED to switch to another OS users aren't as familiar with... apk

Re:This is free too, no need to change OS

Did you guys even read the original article before getting into a Windows vs *Nix debate?

If you did, you'd probably notice the attack was based on a proxy.. The request to goto YouTube gets bounced through a proxy which records your login/authentication in an effort to steal your login credentials.

LOL what exactly could ANY operating system do for this? Granted I'm not a networking guy but to me this is a browser issue, if anything. Most browsers COULD warn users about this, but out of the box to my knowledge none do because MOST login process' bounce around from 2 - 5 different servers and people would get nagged to death and probably couldn't effectively tell when the warnings are real or whether or not it's just another false positive.

I didn't: BUT, I have a possible solution

"Did you guys even read the original article before getting into a Windows vs *Nix debate?" - by Anonymous Coward on Thursday June 21, @11:25AM (#40398715)

See subject-line, & to this question from you? Ok:

"If you did, you'd probably notice the attack was based on a proxy.. The request to goto YouTube gets bounced through a proxy which records your login/authentication in an effort to steal your login credentials. LOL what exactly could ANY operating system do for this?" - by Anonymous Coward on Thursday June 21, @11:25AM (#40398715)

Great - since you're a "network guy" as you stated? Then, I'd suggest BLOCKING ACCESS TO SAID PROXY (provided it's identifiable)!

How? Well - doing so via a custom HOSTS file (if it's done by host-domain name) OR firewall rules table (covers IP addresses &/or host-domain names) SHOULD be able to suffice in that capacity...

(Thoughts?)

APK

P.S.=> Sorry about my reply to couchslug, but he's a "Tried-N-True/Dyed-in-the-Wool" *NIX fan, no questions asked (trust me, I know - have had NUMEROUS runins with him in the past, & dusted him completely every time)... he needs to be put in his place occasionally, &/or corrected - so, I did so... apk