Syrian Government is Spreading malware or They have been pwned

Posted: June 14, 2013 in Information Security

I Was browsing my FBaccount and i sow my self reading this comment posted by Mohammad Hammada about the last post of

خاص بلفضائية السورية means “Private to the general organization of radio and TV in Syria” ,

the post claimed to disclose a list of killers names related to massacre in Syria and bunch of pictures , ( I don’t use to follow such posts neither enter in political debates ) but the interesting part was ,the replay of the people “ Be careful there is a malware inside ” , I downloaded the file from it was 239.29 KB !! ( First thought how many pictures are there ? )

Screenshot from 2013-06-14 03:24:02

In the RAR there was 5 JPG ( Real Pictures , I will not post theme here due to strong content  ) and one file called _1194cds62rcs.txt it was easy to notice that the .txt it wasn’t a real text file , if you take a look at the TYPE column in the RAR you will see written “unknown” , i  extracted all of them after making sure there is no autorun   after extraction ,

Screenshot from 2013-06-14 03:24:16

so as we knew from the beginning is not text file , its an executable developed in .Net targeting MS Windows OS , lets go further and try to see what else we can get about this file ,

1- Using /

The file is detected as virus from 7 major AV solutions , so lets make an static and dynamic analysis

Screenshot from 2013-06-14 03:43:52

Screenshot from 2013-06-14 03:44:18 Screenshot from 2013-06-14 03:44:24 Screenshot from 2013-06-14 03:44:37

+ Result of static analysis

1- We got the real entry point and the version of the .Net Framework used to develop the maleware .

// Entry point: mc.Main

// Architecture: x86

// Runtime: .NET 2.0

2- The dependency

// dmcl40 // kernel32.dll // rpcrt4 // urlmon // netapi32 // difxapi // opengl32 // odbc32 // ole32

// crypt32 // hhctrl // winfax // odbccp32 // iprop // faultrep // mpr // winusb // irprops // dbghelp

// credui // mscorsn // comctl32 // hid // dnsapi

3- The malware is obfuscated and encrypted , it detects the presence of a debuggers and task managers

Screenshot from 2013-06-14 03:59:03 Screenshot from 2013-06-14 03:59:15

I reversed the code and made small script to decrypt and pull out more information

Screenshot from 2013-06-14 03:59:47

Screenshot from 2013-06-14 04:06:49

As result from the script

– It detects the presence of

  • OllyDBg
  • SbieCtrl
  • mbam
  • taskmgr
  • HijackThis
  • Virtual PC
  • TEMemoryScanner

– Store his self as cvtres.exe

– Use Kernel32 and ntdll to create a new process

– Query and manipulate a dozens of register key

– Query a name server and communicate (  i will soon disclose the information i can gather from the command center  )

– Put its self at Start-up

The creator putted a lots of effort in the process of obfuscating and encryption .

This group is the official Facebook group of .

Screenshot from 2013-06-14 04:32:10

 Screenshot from 2013-06-14 06:10:23


Netblock Owner

190 Internet Service Provider



IP address

DNS admin

IPv6 address

Not Present

Reverse DNS


Domain registrar


Nameserver organisation




Hosting company

Top Level Domain

Syria (.sy)

DNS Security Extensions


Hosting country


Netblock owner

IP address


Web server

Last changed

190 Internet Service Provider Windows Server 2008 Microsoft-IIS/7.5 2-May-2013

A governmental page with high page rank on google

Screenshot from 2013-06-14 04:40:19

there is tow hypothesis

1- this is really done by the government

2- some one hacked to the account and did it

but if the Syrian gov is  spreading maleware using facebook pages I couldn’t imagine how many exploits they are lunching throw the web site it self ,this looks like since fiction  movie but the reality is that we are facing a time where cyber space is the battle field . i hope this can serve as an alert message  to everyone , be careful when you are wired , don’t trust on AV solutions only .

===== Update 14,2013 at 4:51

The Syrian Official web site recognized losing the facebook page

Screenshot from 2013-06-14 12:45:31


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s