Web users in Iran and Syria attempting to use a proxy tool to freely surf the Internet are reportedly being tracked by a new Trojan.
The proxy software known as Simurgh is used by many Iranian and Syrian citizens to make it seem as if their secure Internet connections are coming from a different country. Such proxy programs are common ways to mask a user's PC and Internet information in order to circumvent local censorship restrictions.
But a back-doored verson of Simurgh discovered by researchers at the University of Toronto is carrying a payload of malware -- one designed to capture the username, IP address, and hostname of its users, and act as a keylogger to record any keystrokes entered.
"This Trojan has been specifically crafted to target people attempting to evade government censorship," the University of Toronto team wrote in its blog. "Given the intended purpose of this software, users must be very careful if they have been infected by this Trojan."
The Trojan is detected by most anti-virus software, the team noted, but AV software can't necessarily clean an infected computer. The team is advising people to avoid downloading such software from untrusted sources and instead rely on trusted official Web sites using HTTPS for their security.
The creators behind Simurgh have also discovered a way to warn users who try to use the Trojan-infected verson, according to Security firm Sophos.
People who see the warning are urged to stop using the program and remove the malware using AV software. The real Simurgh software is a standalone product that doesn't require installation, Sophos added, distinguishing it from the malware version named Simurgh-setup.zip.
Neither the University of Toronto team nor Sophos speculated on who could be behind the fake version of Simurgh.
But Sophos said that "this malware is targeting users for whom having their communications compromised could result in imprisonment or worse."