Sophisticated Spy Tool 'The Mask' Rages Undetected For 7 Years

thomst writes "Kim Zetter of Wired's Threat Level reports that Kaspersky Labs discovered a Spanish-language spyware application that 'uses techniques and code that surpass any nation-state spyware previously spotted in the wild.' The malware, dubbed 'The Mask' by Kaspersky's researchers, targeted government agencies, diplomatic offices, embassies, companies in the oil, gas and energy industries, research organizations, and activists. It had been loose on the Internet since at least 2007 before being shut down last month. It infected its targets via a malicious website that contained exploits — among which were the Adobe Flash player vulnerability CVE-2012-0773, affecting both Windows and Linux machines. Users were directed to the site via spearphishing emails."

Editing?

[bigjocker]

This is ridiculous. What kind of editor publishes a note so badly written? You should at least read summaries out loud to see if you would look like an idiot. That would have certainly worked in this case. At least add a preview button for summaries like you do for comments for pete's sake.

Hoy many errors can you spot?

"Kim Zetter of Wired's Threat Level reports that Kaspersky Labs discovered a Spanish-language spyware application that employs "uses techniques and code that surpass any nation-state spyware previously spotted in the wild." The malware, dubbed "The Mask" by Kaspersky's researchers, targeted targeted government agencies, diplomatic offices, embassies, companies in the oil, gas and energy industries, and research organizations and activists had been loose on the Internet since at least 2007, before it was shut down last month. It infected its targets via a malicious website that contained exploits — among which were the Adobe Flash player vulnerability CVE-2012-0773 — that affected both Windows and Linux machines. Users were directed to the site via spearphishing emails."

Re:Editing?

[agapeton]

"poorly written"* "if you will look like an idiot"* "This would have"* "summaries similar to the ones for"* "Pete's sake"* I count four.

Re:Editing?

[TechyImmigrant]

4.
5 if you include "Hoy many errors can you spot?"

Re:Editing?

I had to read it three times before I understood what it was trying to say.

Re:Editing?

[bigjocker]

Yes, it's missing an A before Hoy ... sorry about that

Re:Editing?

[Strider-]

Slashdot Drinking Game?

Re:Editing?

Not the OP here, but you are wrong. Good luck next time.

1) "badly written" is acceptable
2) "would" is correct, your "correction" of "will" is wrong.
3) This/That is interchangeable.
4) Now you just look like an idiot.
5) I'm not even going to bother.

You have five corrections but you only count four?

Re:Editing?

[CanHasDIY]

Yes, it's missing an A before Hoy ... sorry about that

Rumor has it that Alexander Graham Bell wanted everyone to answer the telephone by saying "Ahoy hoy."

Considering that much modern slang is just shortened versions of older sayings, I'd call "hoy" by itself a fair greeting.

Re: Editing?

Hoy gago!

Re:Editing?

[asmkm22]

Seriously, this is bad even for Slashdot standards.

Re:Editing?

[gerddie]

You have five corrections but you only count four?

He's probably from the Spanish inquisition.

Re:Editing?

[Ralph+Wiggam]

Bigjocker does not pretend to be a competent writer or editor. Thomst does.

Re:Editing?

That would have been funnier if you didn't blow your analysis... I think your corrections are wrong at least 3 if not four times and you seem to count in IBM.

Re:Editing?

[wonkey_monkey]

"poorly written"*
"if you will look like an idiot"*
"This would have"*
"summaries similar to the ones for"*
"Pete's sake"*

I count four.

Really? I count five. Well, less, really, because at least one is wrong ("would look" is better than "will look" because the opportunity correction exists) and most of the rest are highly debatable, not least for the fact that the GP isn't pretending to be a professional news website.

Re:Editing?

[Chris+Mattern]

Rumor has it that Alexander Graham Bell wanted everyone to answer the telephone by saying "Ahoy hoy."

Which is not as ridiculous as it sounds. "Hello" was not a common greeting before it became standardized as the way to answer a phone.

Re:Editing?

[wonkey_monkey]

because the opportunity for correction exists

FTFM.

Re:Editing?

[mwehle]

Rumor has it that Alexander Graham Bell wanted everyone to answer the telephone by saying "Ahoy hoy."

Considering that much modern slang is just shortened versions of older sayings, I'd call "hoy" by itself a fair greeting.

"Hoy hoy hoy" would be (will be?) a fair greeting among pojama people.

Re:Editing?

[Soulskill]

I just updated the summary with grammar fixes. Thanks for pointing it out.

Re:Editing?

[steelfood]

Es just Spanish.

Re:Editing?

[BronsCon]

You missed "Hoy".

Re:Editing?

[neminem]

Research organizations and activists *have* been loose on the internet since at least 2007, though. Quite a bit earlier, even.

Re:Editing?

[CanHasDIY]

Rumor has it that Alexander Graham Bell wanted everyone to answer the telephone by saying "Ahoy hoy."

Which is not as ridiculous as it sounds. "Hello" was not a common greeting before it became standardized as the way to answer a phone.

I dig it.

Hell, I'd answer the phone that way myself if so many other greetings weren't already burned into my subconscious.

Re:Editing?

[BitZtream]

Could you please explain why this doesn't happen BEFORE hand?

Its not like this is a one time thing, this happens pretty much daily.

Do you guys not have any standards at all? You just keep letting these guys who are clearly not even high school graduates function as 'editors' without ever addressing the issue?

Re:Editing?

[Soulskill]

It does, usually. You don't notice the typos that have already been fixed because there's nothing to notice.

But we do make mistakes. We can't get 100% of them, but we try to. As you can imagine, it's been pretty hectic around here for the past few days, and that doesn't help.

Re:Editing?

[gmagill]

I think FZ sang it best:
http://www.youtube.com/watch?v...

Re:Editing?

[PPH]

for pete's sake

6. "Pete" is a proper name and should be capitalized.

Re:Editing?

[grcumb]

1) "badly written" is acceptable

Not in this context. 'Badly written' normally means 'illegible'. 'Poorly written' is the appropriate phrase.

So Dexter, seeing a quotation from Paradise Lost scrawled by a bloody hand across the wall of a Miami condo, would say, 'That was badly written.'

Milton's ghost, on the other hand, would look at the awkward parts of the latter seasons of Dexter and say, 'That was poorly written.'

Re:Editing?

[Ralph+Wiggam]

You don't notice the typos that have already been fixed because there's nothing to notice.

These weren't typos. This was assault and battery on the English language.

Re:Editing?

[ColdWetDog]

"English is a language that lurks in dark alleys, beats up other languages and rifles through their pockets for spare vocabulary."

Re:Editing?

[TechyImmigrant]

They should put stories under version control.

Re:Editing?

[Soulskill]

To be fair, the English language had it coming.

Re:Editing?

[PRMan]

Actually, it started in 1803 and was fairly common by the time the telephone was invented.

Re:Editing?

[itsthebin]

I suggest you meant "Spanish acquisition "

Re:Editing?

Er.. no.

Re:Editing?

[gl4ss]

haha that's brilliant! because that's one thing nobody ever expects!!!

Re:Editing?

For fuck's sake, insightful?? More like offtopic. Unlike you, samzepus wasn't an English major, he's a technologist. The summary is readable and he didn't make any of the stupid, egregious errors you often see in comments, illiteracy like "Their in there car over they're" or "They should loose all their money". And I see this bad writing in newspapers, where the writers SHOULD be educated in the language.

Save your vitriol for one of the occasional completely unreadable summary, this was at least understandable.

Re: Editing?

[blackiner]

Oh wow, this makes me appreciate the Simpsons even more. Mr. Burns used to answer the phone like that, I thought it was just some weird mannerism as a kid, but I guess the joke was that he is just *that* old.

Re:Editing?

[mcgrew]

Slashdot editors are technologists, not English majors. I do suggest to them that they hire a couple of English majors to do a quick proofread when the editors are done, though (not me, I'm literate but that wasn't even my minor, and I'm retiring this month anyway).

Re:Editing?

"poorly written"* "if you will look like an idiot"* "This would have"* "summaries similar to the ones for"* "Pete's sake"*

I count four.

And thank you for exemplifying why dull shoddiness reigns. Good Lord, it's as if you were upset you didn't notice the poorly written summary yourself.

Re:Editing?

Nice try to dig yourself out of a hole, but, no... nowhere in the definition of "badly" is there implied a physical connotation. Google "badly written" and you'll find plenty of examples of people referring to typed text. Even if you may have a smidgen of fact behind you historically, the internet-enabled colloquial world we're in now lets "badly" be used precisely as bigjocker intended.

You pretty much blew this whole analysis. It could have been funny, but now, no.

"hoy" is a perfectly cromulent word

[Thud457]

Merely punctuational errorification:

Hoy! Many errors you can spot!

Re:"hoy" is a perfectly cromulent word

[girlintraining]

Merely punctuational errorification:

They should have synergized their market paradigms more to create a more linguistically diverse user experience. It's only gonna get worse though... once Beta consumes the site, all that'll be left is the outward appearance of a badly edited blog.with comments enabled.

Re:"hoy" is a perfectly cromulent word

[TranquilVoid]

Actually he's correct when you consider the story is about Spanish malware;

"Today many errors you can spot!"

Looks like Spanish?

[cold+fjord]

We are well into the era of automated translation programs. I'm not sure that the language you see is necessarily what it was written in.

Having said that, I wonder if they considered Portuguese? Looks a lot like Spanish, and Brazil is a major power in malware.

Re:Looks like Spanish?

[Omega+Hacker]

Considering that *Kaspersky*'s press release opens with "Dominican Republic", I would guess the people writing it are probably pretty familiar with the difference.

Re:Looks like Spanish?

[CanHasDIY]

We are well into the era of automated translation programs. I'm not sure that the language you see is necessarily what it was written in.

Having said that, I wonder if they considered Portuguese? Looks a lot like Spanish, and Brazil is a major power in malware.

If you aren't writing your malware in Esperanto, you're not trying.

Trying too hard

[P1h3r1e3d13]

Most of your suggestions are clearer, or better style, but only “pete” is an actual error.
If you want to get that picky, you could use actual quotation marks, instead of straight quotes.

más o menos

 

It's called "The Mask"?

[93+Escort+Wagon]

Boy, that Jim Carrey is one talented dude...

Publish It All On the Net

[JimSadler]

I hope that all information that was gathered is published widely on the net and that all English versions are added. The public has a right to know.

a Spanish-language spyware attacks english grammer

apparently it targeted targeted slashdot too, via exploits that affected both submitters and editors

The /. community is causing more damage than Beta.

[BlueKitties]

I used to really enjoy coming to /. -- even with Beta, even though it stinks. Now the entire comments section has just devolved into complaints. The real threat to /. isn't Evil Corporate Overlords, it's /tivism gone wrong. R.I.P. awesome comment community, you will be missed. :(

Sequence of The Mask events

[WillAffleckUW]

1. Profit
2. Come up with reason for spying ...
4. Ask for authorization seven years later in secret cabinet meeting held in disused lavatory in sub-sub-basement of outmoded surplus warehouse.

Re:Sequence of The Mask events

3??

Is 3 sekret?

Why did you omit Step #3? What are you hiding?

Even our contributors forego transparency and censor the critical and most embarrassing parts of the process!

Re:Sequence of The Mask events

[bughunter]

There is no Five... Three! I mean three!

Re:Sequence of The Mask events

[sjames]

No documents have been located responsive to your requect for information on 'Step #3'. Move along Citizen, nothing to see here.

Re:a Spanish-language spyware attacks english gram

sed -i 's/grammer/grammar/' spelling.post

Re:a Spanish-language spyware attacks english gram

[mwehle]

And it attacks grammar to boot for Pete's sake!

Spyware techniques and code?

[DTentilhao]

"Spanish-language spyware application that 'uses techniques and code that surpass any nation-state spyware previously spotted in the wild.'"

The linked to article seems a little short on details, what exactly makes these `techniques and code' surpass any spyware previously in the wild?

Re:Spyware techniques and code?

[benjfowler]

The infrastructure used to drive it was way beyond anything they've seen previously, even by ostensibe state actors; also, this sort of thing requires a lot of expensive and time-consuming legwork typically done by state intelligence agencies. The elite intelligence agencies do extensive research on their targets prior to using their weapons; they also maintain extremely high levels of operational sophistication, to the point where there is somebody with a finger on a trigger somewhere, figuring out what exploits they can risk using, depending on their assessment on how sophisticated their target will be.

It's likely to be Spain, as their intelligence agencies' primary targets are North Africa and Latin America. Likely, their role in NATO means they've been tasked with keeping tabs on our swarthy kamikaze friends (terrorists, drug dealers, people smugglers) on the far side of the Straits of Gibraltar. And given how many people al-Qaeda murdered during the 11-M attacks in 2004, you can hardly blame Spain for muscling up.

Re:Spyware techniques and code?

[kbrannen]

Can we use (sadly) this as yet another reason Flash must die? How many examples of bad security will it take before kill Flash forever? (Yeah, I know, marketing doesn't care about security as long as it looks good.)

Re:Spyware techniques and code?

The elite intelligence agencies do extensive research on their targets prior to using their weapons; they also maintain extremely high levels of operational sophistication, to the point where there is somebody with a finger on a trigger somewhere, figuring out what exploits they can risk using, depending on their assessment on how sophisticated their target will be.

... as their intelligence agencies' primary targets are North Africa and Latin America.

Where did you get this information?
It sounds like its been compiled from various spy novels.

Re:Spyware techniques and code?

[benjfowler]

Off your meds, mate??

Re:The /. community is causing more damage than Be

[bughunter]

The "awesomeness" of the commentariat departed a long time ago. What was once "awesome" is now merely "occasionally insightful or informative."

But yes, the signal to noise ratio is plummeting even further with all of the Beta whining.

Where's the beef?

Anyone find an analysis of the exploit?

I would like to know what is meant by "affecting...Linux". I have witnessed plenty of plug-in exploit / downloaders on Linux that simply produced a useless file that was made non-executable by the default mask, where I promptly discarded the binary and continued about my business.

Since Linux and BSD distros lack the ShellEx/registry root classes engineering flaws in Windows, it's particularly disingenuous to lump the two operating systems together when one is disproportionately damaged by these sort of social engineering, um passive...."attacks"...if you will.

Re:Where's the beef?

[ozmanjusri]

I would like to know what is meant by "affecting...Linux".

You're right to question the FUD.

SecureList has a MUCH better story that makes it clear "Careto" is closer to a precision-targeting crackers' toolkit rather than typical Windows malware (they have identified a total of 380 unique targets so far). It didn't just use the Flash vulnerability, but had multiple vectors, including Chrome plugins and social engineering techniques.

From their FAQ:

Is this a Windows-only threat? Which versions of Windows are targeted? Are there Mac OS X or Linux variants?
So far, we observed Trojans for Microsoft Windows and Mac OS X. Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers, but we have not yet located the Linux backdoor. Additionally, some of the C&C artifacts (logs) indicate that backdoors for Android and Apple iOS may also exist.

Have you seen any evidence of a mobile component - iOS, Android or BlackBerry?
We suspect an iOS backdoor exists but we haven't been able to locate it yet. The suspicion is based on a debug log from one of the C&C servers where a victim in Argentina is identified and logged as having a user agent of "Mozilla/5.0 (iPad; CPU OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B329". This appears to indicate it is an iPad, although without a sample, it's hard to be sure.

In addition to this, we also suspect the existence of an Android implant. This is based on a unique version identifier sent to the C&C which is "AND1.0.0.0". Communications with this unique identifier have been observed over 3G links, indicating a possible mobile device.

http://www.securelist.com/en/b...

Re:Where's the beef?

Just wait until someone starts reporting about the malware that piggybacks this, exploiting vulnerabilities in the underlying methodology behind it. Perhaps this has not only been in use since 2007, but has had second-level hijackers since 2010, and has been protected by an as yet unnamed overlord of sorts. This is gonna get phun...

Flash

When oh when will we finally be rid of that steaming pile of exploit-infested crap that is adobe flash?

spearphishing emails

How does something like this go undetected in the wild? How hard is it for AV firms to click on an email link and check what comes down the line at them?

Re:spearphishing emails

[benjfowler]

Maybe antivirus firms in Western countries will turn a blind eye to military malware coming from Western governments.

OTOH, Eugene Kaspersky is Russian, and is politically connected to Vladimir Putin and his entourage, none of whom have a lot of time for NATO...

Re:spearphishing emails

DING DING DING. *cough* collusion and secret backroom dealings you are not yet aware of *cough*

Re:spearphishing emails

[RandomFactor]

Even the mass malware distributions take basic precautions these days like excluding VMs, all known AV Vendor IP ranges, and not being malicious while the email is in transit (a link may not begin serving malicious content until hours later, when targets are arriving at the office, and may stop again afterwards.). You can analyze those links all year long if you aren't the target.

Re:spearphishing emails

[benjfowler]

Uuuugh. Looks like I've got myself a creepy internet stalker.

Sorry to disappoint you, pal. I'm straight.

ACTIVISTS ON THE LOOSE!

"...activists had been loose on the Internet since at least 2007"

As heard on DiceDot

Re:Editing? Loose activists!

Heh, keep reading... some errors could be argued to be gramatically correct, eventually, but they're certainly bad style and do not actually communicate whatever it was that's intended. eg.

"activists had been loose on the Internet since at least 2007"

IF Only

it could target the beat os Slashdot.

Re:It does, usually. (No)

[TaoPhoenix]

Oh hello Soulskill, nice to see you in the comments.

Unfortunately "last few days are hectic" isn't remotely close to right. Last Few Years, if you wheeled out that excuse. But no, don't do that either. "Last Few X is Hectic" is a tired phrase now that Big Bad Dice owns you and you have lots of firepower to add!

Uh... oh. Wait. I just heard 3rd hand they just decided both you AND us are ... worth zero!

So what exactly are any of us here doing with a value of Zero? Can you buy them out with a Dollar? (Rhetoric, Wall Street Shenanigans may apply.)

I'll leave the extended comedy routines to others. X of us see a value in a quiet eddy current called Slashdot. Since your value is officially zero, why again exactly are you going with Beta?

Plus, I asked months/a year ago about exporting existing comments out of Slashdot but you/They made sure that was never close to a possibility... really now? Data Capture? I calculate I have almost 100 blog topics stored in raw material here. But no. You gang NEVER made ANY easy export tools under ANY management even BEFORE Dice.

So I'm not going all Swearword-Beta. I'm attacking different problems. But still unhappy.

Yours,
--Tao

Surpasses nation-state code?

[Tony+Isaac]

After watching the healthcare.gov debacle, it would seem that surpassing nation-state-created software is a very low hurdle!

Re:Surpasses nation-state code?

[hink]

*rimshot*

Re:It does, usually. (No)

[Soulskill]

Plus, I asked months/a year ago about exporting existing comments out of Slashdot but you/They made sure that was never close to a possibility... really now? Data Capture? I calculate I have almost 100 blog topics stored in raw material here. But no. You gang NEVER made ANY easy export tools under ANY management even BEFORE Dice.

That's actually much closer to reality now than it's ever been. Hopefully it's something we can get finished soon, but we have a lot of work ahead of us yet. I'm sorry things are slow.

Big Bad Dice owns you and you have lots of firepower to add!

Despite popular sentiment, Dice hasn't taken to Slashdot with a heavy hand. Our engineering team is not much bigger now than when they bought us. Coming up to speed on this codebase is very much not trivial, so even if they sent us a dozen developers tomorrow, it'd be a while before their impact was felt. And the mythical man month, etc.

stop beta-whining

Yeah, stop it already. Just tell me how to get rid of beta!

There...are...four...lights!!!

[xxxJonBoyxxx]

There...are...four...lights!!!

90s triva and /.

I was playing a 90s trivia game. I was getting a lot of the 90s tech questions right. Question came up "Founded near the start of the internet this popular website remains unchanged to this day and is .."- didn't even finish the question I blurted out /.! One of the players freaked out and quit claiming "that's impossible to know that, she wasn't finished the question". The great apart about this story is now with beta we get to throw that card out. Because its a lie. Bold. faced. Lie.

From the makers of Stuxnet

New from the makers of Stuxnet, "the Mask"

Interesting too that it was KaRusski that found it. Norton and McGaffee may be on the government dole for more than just the usual welfare.

Cuba ...

[devil6god7]

I'm surprised no one has blamed Cuba yet!

Re:The /. community is causing more damage than Be

[BlueKitties]

Of course I get moderated as "offtopic," meanwhile the floods of "fbeta" are all +5. Even the moderation system is becoming a joke.