CPJ Journalist Security Blog

Skype Trojan targets Syrian citizen journalists, activists

By Frank Smyth/Senior Adviser for Journalist Security

The Russian manufacturer promises results. The software can be used to control your own or, say, a customer's computer by making it a remote software client. Or it could be used for spying on others.

"BlackShades Remote Controller also provides an efficient way of turning your machine into a surveillance/spy-device or to spy on a specific system," reads one line of the online product description. The software sells online for $40 (an additional $12.60 brings premium support) through the Canadian E-Commerce reseller paypro, and it can surreptitiously record keystrokes and screen views while giving the intruder clandestine remote access to the target computer.

The terms of service include several disclaimers. Purchasers must be "of legal age to use our services and are not a person barred from receiving services under the laws of Russia or other applicable jurisdiction." Purchasers must further agree to not use BlackShades to "harm people in any way," or "upload, post or otherwise make available any Content that you do not have a right to make available," or "provide material support or resources...to any organization(s) designated by the Russian government as a foreign terrorist organization."

The spyware has been embedded into what looks like just one of many .pif video files being circulated by Syrian activists on Skype to help document attacks and human rights abuses by Syrian government and pro-government forces, according to a report posted yesterday by the University of Toronto's Citizen Lab. North American-based forensic experts dissected the Trojan spyware embedded in the video file circulating on Skype, which ends with the extension "new_new.pif."

The digital workings of the latest Skype Trojan are similar to those of a prior YouTube video Trojan that also targeted Syrian activists, according to a report yesterday by the San Francisco-based nonprofit Electronic Frontier Foundation. The EFF report includes screen shots to help Syrian activists and other users identify the specific harmful files.

Yet merely deleting the files or using anti-virus software "does not guarantee that your computer will be safe or secure," added EFF. The remote control access that BlackShades provides could allow intruders to install other spyware on one's computer. What's the safest bet? EFF suggests re-installing the computer's Operating System and changing all passwords to any accounts that one has logged into since the infection.