Syrian Malware Servers Survive Outage, Die Later

A massive outage knocked Syria’s Internet offline Nov. 29—with the exception of five servers implicated in serving malware earlier this year. But the next day, those five servers went dark as well.

Internet analytics firm Renesys suggested late Nov. 29 that those five servers were likely offshore. “Now, there are a few Syrian networks that are still connected to the Internet, still reachable by traceroutes, and indeed still hosting Syrian content,” the company wrote in a blog post. “These are five networks that use Syrian-registered IP space, but the originator of the routes is actually Tata Communications. These are potentially offshore, rather than domestic, and perhaps not subject to whatever killswitch was thrown today within Syria.”

By the morning of Nov. 30, those five servers went offline. “The last 5 networks belonging to Syria, a set of smaller netblocks previously advertised by Tata Communications, have been torn down and are no longer routed,” Renesys wrote. “These blocks survived today’s Internet blackout in Syria, but 12 hours after the onset, they, too are off the air. Traceroutes to these blocks now die on Tata’s network in New Jersey, and websites hosted in these blocks are no longer responding.”

A Country Offline

A little bit after noon on Nov. 29 (Damascus time), about 92 percent of the networks tracked by Renesas—all of them usually accessible through the Syrian Telecommunications Establishment—went down. Syria had all but disappeared from the Internet.

Rob Faris, research director at Harvard University’s Berkman Center for Internet & Society, told The Huffington Post Nov. 29 that, by altering the routing tables, all information passing through a country’s networks could disappear into oblivion. “If a country wanted to remove itself from the Internet, it can,” he said. “There are a limited number of international gateways, and it’s really just a matter of how many telephone calls need to be made.”

The Syrian government has shut down Internet access within the country several times within the last few years, mostly to block opposition groups from connecting and spreading information via the Internet. U.S. Ambassador to Syria Robert Ford told CNN that, in response to government Internet-related actions, the United States has given “a thousand pieces of non-lethal equipment—largely communications gear” to help opposition activists get around the cyber roadblocks.

(Speaking of phone numbers, members of the hacker group Anonymous—whose pendulum seemingly swings back and forth between humanitarian gestures that bolster democracy and defacing various sites to little effect—has also offered a list of phone numbers to help Syrians get back online.)

The five servers were tied to a May malware scandal that apparently targeted members of the Syrian opposition groups currently fighting the government. According to the Electronic Frontier Foundation, the attacks included Trojans and phishing designed to capture passwords for YouTube and Facebook. TrendMicro’s Malware Blog described a Website which purportedly offered Skype encryption software, but was actually a Trojan that installed DarkComet 3.3, a remote administration tool that allows an attacker to capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more–and sends that sensitive information to an address in Syrian IP space.

 

Image: Aleksey Klints/Shutterstock.com

Post a Comment

Your email address will not be published.