Yusef (R) puts a wedding ring on his fiancee Ghada’s finger in the Sukkari district of Aleppo, in northern Syria, on January 17, 2013. AFP PHOTO JM LOPEZ

Please visit our official facebook page at goo.gl/LK5Ra. It contains useful feautures, such us watching our livestream from our FB page (inclusive our livestream chat). And many other feautures. The  Facebook page contains news and pictures and it’s definetely worth to check it out!

(Reuters) - U.S. technologies that may include a mobile phone “panic button” and an “internet suitcase” are being used by activists in Syria and other authoritarian countries to override government communications controls, a U.S. official said on Thursday.

Alec Ross, U.S. Secretary of State Hillary Clinton’s senior adviser for innovation, said the United States was working on between 10 and 20 classified technologies that could be used by protesters and others facing communications curbs.

He also described how Facebook and other social networks could be used to challenge propaganda spread online by what he called the “Syrian Electronic Army”.

“They’re (some of the new technologies) being used in Syria. A number of the organisations that have benefited from our training include Syrian citizens,” Ross told reporters in London, declining to specify which of the technologies were being used.

Ross outlined one U.S. innovation that he said was inspired by the detention of protesters in Iran and the mining of their phones for information on activist networks.

The so-called “panic button” is a pin code that when entered into a mobile phone will immediately wipe its address book and messages.

Another is the “internet suitcase”, which he said could be used to set up a communications network even when the state-controlled telecommunications provider has shut off connectivity or is using it to monitor and punish dissent.

Ross said there was “clear evidence” that Syria’s main mobile phone operator Syriatel, which is currently under U.S. sanctions, was being used to identify and punish dissent.

More than 10,000 people have been killed in Syria since an uprising began against President Bashar al-Assad last year, inspired by a wave demonstrations across the Middle East that toppled autocratic leaders in Egypt, Libya, Tunisia and Yemen.

SYRIAN ELECTRONIC ARMY

Social networks played a key role in rallying activists during the Arab Spring, and authorities responded by shutting down networks to make it harder for protesters to coordinate.

In Syria, Ross gave an example of how Facebook could be used to undermine state propaganda, and described how the U.S. envoy to Damascus had taken to posting messages on the social networking site to avoid being misinterpreted.

The ambassador’s posts were then flooded by anti-U.S. and pro-Assad responses, Ross said, implying that they were a coordinated onslaught.

“What happened is real Syrian citizens began to out members of the Syrian Electronic Army, and so while the army might have put 500 comments, normal Syrians put another 500 up saying ‘Ignore all these comments that are pro-Bashar’,” Ross said.

“At the end of the day the Syrian Electronic Army came out with egg on its face,” he added.

Ross said Washington communicated with Google and Facebook to share information on their operations in “oppressive environments”, giving an example of talks prompted by cyber attacks by the government of ousted Tunisian leader Zine al-Abidine Ben Ali to stifle protests against his rule.

“We have open communications and discussions with companies like Google and Facebook in oppressive environments so we can share information,” Ross said.

“The Ben Ali government cyber-attacked 1.4 million of its own citizens to try to identify the ‘movement leaders’ and Facebook actually told us about the cyber attack. We then shared information over the weeks that followed over the respective responses.”

Since the beginning of the year, pro-Syrian-government hackers have steadily escalated the frequency and sophistication of their attacks on Syrian opposition activists. We have reported on several Trojans, which covertly install spying software onto the infected computer, as well as phishing attacks which steal YouTube and Facebook login credentials.

The latest surveillance malware comes in the form of an extracting file which is made to look like a PDF if you have file extensions turned off. The PDF purports to be a document concerning the formation of the leadership council of the Syrian revolution and is delivered via Skype message from a known friend. The malware installs a remote administration tool called DarkComet RAT, which can capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more. It sends this data back to the same IP address in Syrian IP space that was used in several previous attacks, including the attacks reported by CNN in February, the Xtreme RAT Trojan EFF reported in March, and this sample from March 21st.

Syrian Internet users should be extremely cautious about clicking on suspicious-looking links, or downloading documents over Skype, even if the document purportedly comes from a friend.

The screenshot below shows the file with the fake Adobe icon.

The self-extracting file is named:

ورقة حول مجلس القيادة_as‮rcs.fdp.scr

On extraction, it performs several actions, including opening a PDF file, which you can see in the screenshot below.

The screenshot below shows the other files that are dropped:

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\(Empty).lnk
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ورقة حول مجلس القيادة.pdf
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Explorer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msdlg.ocx

Additionally, after you start typing, it creates a keylogger directory:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dclogs

The screenshot below shows process that indicates the DarkComet RAT is running on your computer. Go to your Windows Task Manager by pressing Ctrl+Shift+Esc and click on the Processes tab. The process is called svchost.exe and runs under your username. In this example, the user is Administrator.

The screenshot below shows the empty start-up link which is created by the Trojan.

As of Wednesday April 4th, this Trojan is not detected by any anti-virus program. However, it is detectable by the DarkComet RAT removal tool, written by the same developer that originally wrote DarkComet RAT. The screenshot below shows the removal tool detecting DarkComet RAT on an infected computer. The YouTube phishing attack also installed DarkComet RAT and is detectable via the DarkComet RAT removal tool DarkComet RAT Remover v1.0.

Facebook has been a popular place for Syrian Internet activists to share their opposition to the Assad regime ever since the site was unblocked by the Syrian government in early 2011. While some interpreted the Assad regime’s decision to allow access to Facebook as a positive sign, others feared that the government had made Facebook available for the purpose of entrapping Syrian activists.

In the past month, EFF has reported on several instances of pro-Syrian-government hackers targeting Syrian Internet activists using malware spread through chats and emails, as well as updates downloaded from a fake YouTube site. Most recently, we’ve seen reports from Syrian opposition networking specialists of a phishing attack aimed at Syrian activists, spread primarily on pro-revolution forums on Facebook.

The screenshot below shows the phishing link accompanied by the following text in Arabic: Urgent and critical.. video leaked by security forces and thugs.. the revenge of Assad’s thugs against the free men and women of Baba Amr in captivity and taking turns raping one of the women in captivity by Assad’s dogs.. please spread this.

The screenshot below displays the link in a comment under a pro-revolution video. The phishing link is accompanied by the following text in Arabic: Urgent. The thug Sharif Shihada was arrested by the Free Army. Captured by Ahrar Al Qlamoun battalion… please spread the video of him denouncing the Syrian Regime… Allahu Akbar, victory to our revolution and Free Army.

The screenshot below shows the fake Facebook login page. Note the non-Facebook URL in the URL bar of the browser.

Facebook users should be especially cautious about clicking on links in the comment sections of pro-Syrian-revolution forums, especially if they are accompanied by this text. Facebook users should beware of fake pages that resemble the Facebook login page. Always check the URL bar at the top of your browser to make sure it reads https://www.facebook.com. When in doubt, type https://www.facebook.com manually to get to Facebook.

This attack steals usernames and passwords and could potentially give an attacker access to all of the private information in your Facebook account. Syrian Facebook users should also be cautious about clicking on links sent over Facebook by their friends, whose accounts may have been compromised.

EFF is deeply concerned to see targeted attacks on Syrian Internet activists increasing in number and using increasingly diverse methods. We will continue to keep a close eye on developments.

The Al Arabiya English page on the social networking site Facebook was hacked on Monday.

Posts on the page surrounding the conflict in Syria have provided our readers with what is believed to be false news on attacks in Syria and deceptive information on Saudi government orders.

The posts included news about clashes between the Free Syria Army and the Syrian regime security forces, which Al Arabiya cannot verify.

The news is being falsely attributed to Al Arabiya sources.

The posts by hackers appear in Arabic on Al Arabiya English Facebook page and have confused our fans who normally expect the latest news on the Middle East in the English language.

A technical team is working to resolve the problem and determine the source of the attack.

Al Arabiya was the target of deliberate online attacks and jamming of its broadcast transmission. The latest of these attacks occurred in February and prompted Al Arabiya to change its frequencies on Arabsat.

February 17, 2012 — Updated 2141 GMT (0541 HKT)

Syrians demonstrate against the regime after Friday prayers in the north Syrian city of Idlib on February 17. Activists working against the regime now have to worry about malware that can expose their activities.

(CNN) — In Syria’s cyberwar, the regime’s supporters have deployed a new weapon against opposition activists — computer viruses that spy on them, according to an IT specialist from a Syrian opposition group and a former international aid worker whose computer was infected.

A U.S.-based antivirus software maker, which analyzed one of the viruses at CNN’s request, said that it was recently written for a specific cyberespionage campaign and that it passes information it robs from computers to a server at a government-owned telecommunications company in Syria.

Supporters of dictator Bashar al-Assad first steal the identities of opposition activists, then impersonate them in online chats, said software engineer Dlshad Othman. They gain the trust of other users, pass out Trojan horse viruses and encourage people to open them.

Once on the victim’s computer, the malware sends information out to third parties.

Othman is an IT security “go-to-guy” for opposition activists. He resides outside of Syria for his own safety.

Since December, he has heard from dozens of opposition members who say their computers were infected. Two of them recently passed actual viruses to Othman and a colleague with whom he works. They checked them out.

“We have two malwares — first one is really complex,” Othman said via Skype chat. “It can hide itself more.”

The U.S. analysis of one of the viruses — the simpler one — would appear to corroborate the time of its launch around the start of the year.

The virus has two parts, said Vikram Thakur, principal security response manager at Symantec Corporation, known to consumers for its Norton antivirus software. He said one of them points to December 6 and the other to January 16.

Thakur has dubbed the simpler virus “backdoor.breut.”

It was the more complex virus that the former aid worker unwittingly downloaded during a chat. Since she travels to Syria, she has requested that CNN not name her for security reasons and instead refer to her as “Susan.”

To get a picture of the humanitarian needs on the ground in Syria, “Susan” contacted opposition members via the Internet. In January, she received a call via Skype from someone she believed was a regime opponent.

It was an imposter and a regime supporter, she claims.

“They called me actually and pretended that it’s him — this activist that I didn’t know, because I’d been talking to him only two times and only in writing.”

This message in Arabic encourages computer users to download a free security program. It actually installs spyware on a user’s machine, experts say.

Days later, other opposition members told Susan and Othman that the activist she thought she had spoken with was in detention. Activists accuse government forces of coercing him to reveal his user name and identity and of then going online to impersonate him.

Othman says additional activists, who say they were detained and released, tell of being forced to turn over their passwords to Syrian authorities.

CNN cannot independently confirm the accusations, because the Syrian government strictly limits international media coverage within its borders.

Calls for Syrian government comment to a spokeswoman for al-Assad on Friday were not answered or did not go through. Friday is the weekly special day of prayer in the Muslim world.

The man chatting with Susan via Skype passed her a file. She recalled what he said to her to coax her to open it: “This makes sure that when you’re talking to me, it’s really me talking to you and not somebody else.”

She clicked on the file. “It actually didn’t do anything,” she said in a baffled tone. “I didn’t notice any change at all.”

No graphics launched; no pop-up opened to announce to the user that the virus was being downloaded. The link appeared to be dead or defected, said Othman.

The second virus, backdoor.breut, which was e-mailed to him by an activist inside Syria for analysis, launched the same way. “Download, open, then nothing,” Othman said.

It contains a fake Facebook logo and was passed off in a chat room as a Facebook security update, he said.

At CNN’s request, Othman forwarded that virus to an IT security expert in California for an independent analysis.

Othman removed the more complex malware on Susan’s computer but made an image of the infected hard drive beforehand. At more than 250 GB, it would have to be sent on an external hard drive by regular post — snail mail — for any independent scrutiny.

The U.S. expert confirmed the invisible nature of the backdoor.breut Trojan horse download.

“Nothing would actually show up,” said Thakur. “The only thing that the Trojan actually does — it copies itself into one of the temporary locations, but that would not be visible to the regular user.”

The malware launches when the user reboots the computer.

The Syrian cyberactivist and the California IT security manager pointed out that the lack of fanfare during download helps to conceal the viruses from their victims.

“Most of them will say ‘it’s a damaged file,’ and they will forget about it,” Othman said.

Susan did just that.

She was not aware she had been hacked until she lost her Facebook and e-mail accounts a few days after clicking on the file.

“I didn’t click on any kind of new link or something, so they must have known about the password,” she said, referring to the loss of her Facebook account.

She handed over her laptop to Othman and his colleague, who told her that the Trojan horse had logged her key strokes, taken screen shots, rummaged through her folders. It hid the IP address it sent its information to, Othman said.

Othman found a screen shot the Trojan horse took of Susan’s online banking home page. He told her to change all her passwords, Susan said.

“You don’t want your money to be stolen by some of the Syrian security guys,” she quipped.

The other virus — backdoor.breut — sends the information it pillages from infected computers to the IP address: 216.6.0.28 and does not hide this.

“We checked the IP address that our engineer referenced and can confirm that it belongs to the STE (Syrian Telecommunications Establishment),” a Symantec representative wrote to CNN. The STE is the government telecommunications company.

This does not necessarily mean that someone at STE is doing the hacking, Thakur stresses.

“Whether it’s a home user behind that or it’s actually a company or an organization, which has been allocated that IP address, we just have no insight from where we sit.”

But the Syrian government has access to all activity through that server “absolutely without any doubt,” Thakur said. Anyone not wanting the government to see what they are up to would not use that server.

Skilled Syrian opposition activists avoid government telecom servers when online.

The simple virus, backdoor.breut, acts like a bull in a china shop, Symantec’s Thakur said.

“It did not look like it was written by any sophisticated hacker,” he said after examining it. “It was just kind of put together — slapstick functionality.”

Simple malware is readily available for download on underground forums in the Internet. Hackers can repurpose it and hand it out. Othman believed the second software to be such an off-the-shelf product because of its amateurish construction, but the California expert disagrees.

“It’s not something that somebody just went out there, copied code from an Internet website and just pasted it in. It was definitely coded for its current purpose.”

The name “backdoor.breut” derives from the virus’ behavior.

“We sort of took the word ‘brute’ just because of what it was actually doing and kind of changed a couple of characters to b-r-e-u-t,” Thakur said.

“Brute — meaning that it is using brute force — it’s just going in smash-and-grab — I’m going to try to get anything that I can and get the hell out of there.”

Backdoor.breut attempts to give the hacker remote control of the victim’s computer, according to the analysis. It steals passwords and system information, downloads new programs, guides internal processes, logs keystrokes and takes shots with the webcam.

It also turns off antivirus notification, but that does not completely conceal it from detection. “Some of the good software can detect it in the same day,” Thakur said.

The nature of its use may make backdoor.breut and other new Syrian malware hard to defend against. Antivirus makers need to know the virus to be able to assign it a signature and make the file detectible to block the download, according to Thakur.

The more widely a new virus spreads around the world, the more likely it is to land on an antivirus maker’s radar. The smaller the region the virus is located in, the less likely virus vigilantes are to notice and combat it.

“Looking at this Trojan and the telemetry that we’ve gathered the last five or six days since we did the analysis, this is not targeting people across the complete globe. So, it could be days before some antiviruses actually create signatures for the file,” Thakur said.

More complex antivirus software can detect malware that does not yet have a signature, because of how it behaves after infecting the computer, Thakur said. If the antivirus does not have this ‘behavior’ component, it may not defend against a new virus “for a substantial amount of time.”

On a Facebook page named “Cyber Arabs,” Othman warns activists of the danger of downloading the virus and reminds users to keep their antivirus software updated.

Download.com, CNET’s software download website, offers antivirus software, some of which includes a “behavior” component and is free of charge.

But that is still no guarantee for not contracting a new Syrian cyberbug, “Susan” reminds.

“It was up-to-date,” she said. “The problem is that they sent me a … file, and I was totally stupid — like, it’s an EXE file — and I opened it.”

John Scott-Railton also contributed to this story.

URGENT ACTION

ABDUCTED SYRIAN ACTIVIST AT RISK OF TORTURE

Pro- reform activist Georges Moubayed w as abducted on 10 January 2012  and remains held at an unknown location by a group believed to be linked to the Syrian authorities. On 12 January , his family received a phone-call in which he said he had been shot in the leg and the abductors demanded a ransom for his release . He is at risk of torture and other ill-treatment.

Georges Moubayed, a jeweller aged 62, was abducted after leaving his house in the Jaramana district of the capital Damascus. He had participated in pro-reform demonstrations in the city, which he had promoted via Facebook, and also gave financial and other support to families of activists who have died during the protests and unrest. Two days after his abduction, he phoned his daughter in France to say he had been captured and that he had been shot in the leg. The abductors then told her that they were demanding a ransom of 30 million Syrian Lira (about $500,000) for his release.

Thousands of pro-reform activists have been detained since March last year by the security forces and members of pro-government shabiha gangs. Torture and other ill-treatment has been widespread, and more than 235 people are reported to have died in custody.

Please write immediately in English, Arabic or French or your own language:

Expressing concern that Georges Moubayed is held at an unknown location by a group believed to be linked to the state and at risk of torture and ill-treatment or even death;

Calling on the Syrian authorities to ensure that Georges Moubayed is released immediately, given any necessary medical treatment and is able to return to his home safely;

Calling on the Syria authorities to ensure that all attacks against pro-reform activists are investigated thoroughly and that those responsible are brought to justice

P LEASE SEND APPEALS BEFORE 1 MARCH 2012 TO :

President

Bashar al-Assad

Presidential Palace

al-Rashid Street

Damascus, Syrian Arab Republic

Fax: +963 11 332 3410

Salutation: Your Excellency

Ministry of Interior

His Excellency Major General Mohamad Ibrahim al-Shaar

Minister of Interior

‘Abd al-Rahman Shahbandar Street

Damascus, Syrian Arab Republic

Fax: +963 11 311 0554

Salutation: Your Excellency

Minister of Foreign Affairs

Walid al-Mu’allim

Ministry of Foreign Affairs

al-Rashid Street

Damascus, Syrian Arab Republic

Fax: +963 11 214 6251/6252/6253

Salutation: Your Excellency

Also send copies to diplomatic representatives accredited to your country. Please insert local diplomatic addresses below:

Name Address 1 Address 2 Address 3 Fax Fax number Email Email address Salutation Salutation

Please check with your section office if sending appeals after the above date.

URGENT ACTION

ABDUCTED SYRIAN ACTIVIST AT RISK OF TORTURE

Additional Information

Pro-reform demonstrations began in Syria in February 2011 and evolved into mass protests in mid-March. The Syrian authorities have responded in the most brutal manner in their efforts to suppress them. Amnesty International has obtained the names of more than 4,600 people reported to have died or been killed during, or in connection with, the protests and unrest. Many are believed to have been shot by security forces using live ammunition while participating in peaceful protests or attending funerals of people killed in earlier protests. Members of the security forces have also been killed, some by defecting members of the army and others who have taken up arms against the government.

Thousands of people have been arrested, with many held incommunicado at unknown locations at which torture and other ill-treatment are reported to be rife. Over 235 people are reported to have died in custody in highly suspicious circumstances since 1 April 2011.

The Syrian state has multiple security and intelligence agencies in addition to even more opaque groups, often armed but not necessarily uniformed, who also carry out abductions, killings and other abuses in apparent coordination with, or at least approval of, state officials. Amnesty International has also received reports of armed individuals threatening, abusing and, in some cases, killing people perceived to be linked to or supportive of the state.

Name: Georges Moubayed

Gender m/f: m

UA: 16/12 Index: MDE 24/004/2012 Issue Date: 19 January 2012

By BASSEM MROUE, Associated Press

BEIRUT — Syria’s opposition called a general strike Thursday over President Bashar Assad’s deadly crackdown on an 8-month-old revolt, ramping up efforts to persuade the country’s business elite to abandon their long-standing ties to the regime.

The move came as Syrian troops stormed a village in the central province of Hama, killing six people – the latest in what has become daily violence and bloodshed in the country. The United Nations says at least 3,500 people have been killed since the uprising began in March.

A recent spate of economic sanctions from the Arab League, Turkey and European Union are punishing Syria’s ailing economy, a dangerous development for the government in Damascus. Syrian business leaders have long traded political freedoms for economic privileges in the country, where the prosperous merchant classes are key to propping up the regime.

The sanctions, coupled with increasing calls for strikes, could sap their resolve.

It was difficult to gauge how widely Syrians were abiding by the strike, which activists announced on an opposition Facebook page. The regime has sealed the country off from foreign journalists and prevented independent reporting.

Residents in Syria’s two economic powerhouses – the capital, Damascus, and the northern city of Aleppo – reported business as usual Thursday.

But in the flashpoint city of Homs, a resident told The Associated Press that most of the shops were closed, except for those selling food. Homs has been one of Syria’s most volatile cities, with increasing clashes between troops and army defectors.

“Few people are in the streets and only about 20 percent of students went to schools and universities,” said one resident, who asked that his name not be made public for fear of government reprisals.

A video posted online by activists showed mostly closed shops in the Damascus suburb of Zabadani, which also has seen large anti-regime protests.

Despite the recent diplomatic squeeze and Thursday’s strike, the government has shown little sign of easing its crackdown.

The Local Coordination Committees activist group said security forces swept through the village of Traimseh in the central province of Hama. The group said six people were killed, without giving further details.

Another person was shot dead in the nearby province of Homs, the group said.

The British-based Syrian Observatory for Human Rights also said six people were killed and nine wounded in Traimseh. It added that the operation was continuing in the village.

Also Thursday, the government took local journalists on a trip to the village of Kfarbo in Hama province, where they spoke to the family of a 9-year-old boy who was shot dead in Homs three days ago while he was buying cookies from a shop.

“He was holding a biscuit in his hand not a pistol,” the child’s mother, Georgina Mtanious al-Jammal, told reporters. “They have burned my heart.”

She blamed “armed terrorists” for killing her son.

The shooting is particularly resonant in Syria because the boy, Sari Saoud, was from a Christian family. Christians and other religious minorities in Syria generally support the regime because they feel it offers them important protections.

Syria is overwhelmingly Sunni Muslim, and many minorities fear they will be marginalized if a Sunni regime takes over. Assad and the ruling elite are from the tiny Alawite sect.

___

Associated Press writer Albert Aji contributed to this report from Kfarbo, Syria.

___

Bassem Mroue can be reached on http://twitter.com/bmroue