Sophisticated Spy Tool 'The Mask' Rages Undetected For 7 Years

← Back to Stories (view on slashdot.org)

Sophisticated Spy Tool 'The Mask' Rages Undetected For 7 Years

Posted by samzenpus on Monday February 10, 2014 @09:06AM from the protect-ya-neck dept.

thomst writes "Kim Zetter of Wired's Threat Level reports that Kaspersky Labs discovered a Spanish-language spyware application that 'uses techniques and code that surpass any nation-state spyware previously spotted in the wild.' The malware, dubbed 'The Mask' by Kaspersky's researchers, targeted government agencies, diplomatic offices, embassies, companies in the oil, gas and energy industries, research organizations, and activists. It had been loose on the Internet since at least 2007 before being shut down last month. It infected its targets via a malicious website that contained exploits — among which were the Adobe Flash player vulnerability CVE-2012-0773, affecting both Windows and Linux machines. Users were directed to the site via spearphishing emails."

59 of 98 comments (clear)

Min score:

Reason:

Sort:

Editing? by bigjocker · 2014-02-10 09:10 · Score: 4, Insightful

This is ridiculous. What kind of editor publishes a note so badly written? You should at least read summaries out loud to see if you would look like an idiot. That would have certainly worked in this case. At least add a preview button for summaries like you do for comments for pete's sake.
Hoy many errors can you spot?
"Kim Zetter of Wired's Threat Level reports that Kaspersky Labs discovered a Spanish-language spyware application that employs "uses techniques and code that surpass any nation-state spyware previously spotted in the wild." The malware, dubbed "The Mask" by Kaspersky's researchers, targeted targeted government agencies, diplomatic offices, embassies, companies in the oil, gas and energy industries, and research organizations and activists had been loose on the Internet since at least 2007, before it was shut down last month. It infected its targets via a malicious website that contained exploits — among which were the Adobe Flash player vulnerability CVE-2012-0773 — that affected both Windows and Linux machines. Users were directed to the site via spearphishing emails."

--
Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
1. Re:Editing? by TechyImmigrant · 2014-02-10 09:14 · Score: 5, Funny
  
  4.
  5 if you include "Hoy many errors can you spot?"
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
2. Re:Editing? by bigjocker · 2014-02-10 09:25 · Score: 1
  
  Yes, it's missing an A before Hoy ... sorry about that
  
  --
  Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
3. Re:Editing? by Strider- · 2014-02-10 09:26 · Score: 1
  
  Slashdot Drinking Game?
  
  --
  ...si hoc legere nimium eruditionis habes...
4. Re:Editing? by Anonymous Coward · 2014-02-10 09:26 · Score: 5, Insightful
  
  Not the OP here, but you are wrong. Good luck next time.
  1) "badly written" is acceptable
  2) "would" is correct, your "correction" of "will" is wrong.
  3) This/That is interchangeable.
  4) Now you just look like an idiot.
  5) I'm not even going to bother.
  You have five corrections but you only count four?
5. Re:Editing? by CanHasDIY · 2014-02-10 09:30 · Score: 1
  
  Yes, it's missing an A before Hoy ... sorry about that
  Rumor has it that Alexander Graham Bell wanted everyone to answer the telephone by saying "Ahoy hoy."
  Considering that much modern slang is just shortened versions of older sayings, I'd call "hoy" by itself a fair greeting.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
6. Re:Editing? by asmkm22 · 2014-02-10 09:43 · Score: 1
  
  Seriously, this is bad even for Slashdot standards.
7. Re:Editing? by gerddie · 2014-02-10 09:44 · Score: 4, Funny
  
  You have five corrections but you only count four?
  He's probably from the Spanish inquisition.
8. Re:Editing? by Ralph+Wiggam · 2014-02-10 09:47 · Score: 1
  
  Bigjocker does not pretend to be a competent writer or editor. Thomst does.
9. Re:Editing? by wonkey_monkey · 2014-02-10 09:53 · Score: 1
  
  "poorly written"*
  "if you will look like an idiot"*
  "This would have"*
  "summaries similar to the ones for"*
  "Pete's sake"*
  I count four.
  Really? I count five. Well, less, really, because at least one is wrong ("would look" is better than "will look" because the opportunity correction exists) and most of the rest are highly debatable, not least for the fact that the GP isn't pretending to be a professional news website.
  
  --
  systemd is Roko's Basilisk.
10. Re:Editing? by Chris+Mattern · 2014-02-10 10:04 · Score: 3, Informative
  
  Rumor has it that Alexander Graham Bell wanted everyone to answer the telephone by saying "Ahoy hoy."
  Which is not as ridiculous as it sounds. "Hello" was not a common greeting before it became standardized as the way to answer a phone.
11. Re:Editing? by wonkey_monkey · 2014-02-10 10:08 · Score: 1
  
  because the opportunity for correction exists
  FTFM.
  
  --
  systemd is Roko's Basilisk.
12. Re:Editing? by mwehle · 2014-02-10 10:13 · Score: 1
  
  Rumor has it that Alexander Graham Bell wanted everyone to answer the telephone by saying "Ahoy hoy."
  Considering that much modern slang is just shortened versions of older sayings, I'd call "hoy" by itself a fair greeting.
  "Hoy hoy hoy" would be (will be?) a fair greeting among pojama people.
  
  --
  Wir sind geboren, um frei zu sein - Rio Reiser
13. Re:Editing? by Soulskill · 2014-02-10 10:15 · Score: 2, Informative
  
  I just updated the summary with grammar fixes. Thanks for pointing it out.
14. Re:Editing? by steelfood · 2014-02-10 10:22 · Score: 1
  
  Es just Spanish.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
15. Re:Editing? by BronsCon · 2014-02-10 10:22 · Score: 1
  
  You missed "Hoy".
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
16. Re:Editing? by neminem · 2014-02-10 10:27 · Score: 1
  
  Research organizations and activists *have* been loose on the internet since at least 2007, though. Quite a bit earlier, even.
17. Re:Editing? by CanHasDIY · 2014-02-10 10:52 · Score: 1
  
  Rumor has it that Alexander Graham Bell wanted everyone to answer the telephone by saying "Ahoy hoy."
  Which is not as ridiculous as it sounds. "Hello" was not a common greeting before it became standardized as the way to answer a phone.
  I dig it.
  Hell, I'd answer the phone that way myself if so many other greetings weren't already burned into my subconscious.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
18. Re:Editing? by BitZtream · 2014-02-10 10:54 · Score: 1
  
  Could you please explain why this doesn't happen BEFORE hand?
  Its not like this is a one time thing, this happens pretty much daily.
  Do you guys not have any standards at all? You just keep letting these guys who are clearly not even high school graduates function as 'editors' without ever addressing the issue?
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
19. Re:Editing? by Soulskill · 2014-02-10 11:02 · Score: 1
  
  It does, usually. You don't notice the typos that have already been fixed because there's nothing to notice.
  But we do make mistakes. We can't get 100% of them, but we try to. As you can imagine, it's been pretty hectic around here for the past few days, and that doesn't help.
20. Re:Editing? by gmagill · 2014-02-10 11:10 · Score: 1
  
  I think FZ sang it best:
  http://www.youtube.com/watch?v...
21. Re:Editing? by PPH · 2014-02-10 11:12 · Score: 1
  
  for pete's sake
  6. "Pete" is a proper name and should be capitalized.
  
  --
  Have gnu, will travel.
22. Re:Editing? by grcumb · 2014-02-10 11:14 · Score: 1
  
  1) "badly written" is acceptable
  Not in this context. 'Badly written' normally means 'illegible'. 'Poorly written' is the appropriate phrase.
  So Dexter, seeing a quotation from Paradise Lost scrawled by a bloody hand across the wall of a Miami condo, would say, 'That was badly written.'
  Milton's ghost, on the other hand, would look at the awkward parts of the latter seasons of Dexter and say, 'That was poorly written.'
  
  --
  Crumb's Corollary: Never bring a knife to a bun fight.
23. Re:Editing? by Ralph+Wiggam · 2014-02-10 11:16 · Score: 1
  
  You don't notice the typos that have already been fixed because there's nothing to notice.
  These weren't typos. This was assault and battery on the English language.
24. Re:Editing? by ColdWetDog · 2014-02-10 11:25 · Score: 1
  
  "English is a language that lurks in dark alleys, beats up other languages and rifles through their pockets for spare vocabulary."
  
  --
  Faster! Faster! Faster would be better!
25. Re:Editing? by TechyImmigrant · 2014-02-10 11:42 · Score: 1
  
  They should put stories under version control.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
26. Re:Editing? by Soulskill · 2014-02-10 11:54 · Score: 2
  
  To be fair, the English language had it coming.
27. Re:Editing? by PRMan · 2014-02-10 12:13 · Score: 1
  
  Actually, it started in 1803 and was fairly common by the time the telephone was invented.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
28. Re:Editing? by itsthebin · 2014-02-10 16:34 · Score: 2
  
  I suggest you meant "Spanish acquisition "
  
  --
  ...I obey the laws of physics....
29. Re:Editing? by gl4ss · 2014-02-10 22:12 · Score: 1
  
  haha that's brilliant! because that's one thing nobody ever expects!!!
  
  --
  world was created 5 seconds before this post as it is.
30. Re: Editing? by blackiner · 2014-02-11 04:11 · Score: 1
  
  Oh wow, this makes me appreciate the Simpsons even more. Mr. Burns used to answer the phone like that, I thought it was just some weird mannerism as a kid, but I guess the joke was that he is just *that* old.
31. Re:Editing? by mcgrew · 2014-02-11 06:05 · Score: 1
  
  Slashdot editors are technologists, not English majors. I do suggest to them that they hire a couple of English majors to do a quick proofread when the editors are done, though (not me, I'm literate but that wasn't even my minor, and I'm retiring this month anyway).
  
  --
  Free Martian Whores!
"hoy" is a perfectly cromulent word by Thud457 · 2014-02-10 09:18 · Score: 5, Funny

Merely punctuational errorification:

Hoy! Many errors you can spot!

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
1. Re:"hoy" is a perfectly cromulent word by TranquilVoid · 2014-02-10 14:09 · Score: 1
  
  Actually he's correct when you consider the story is about Spanish malware;
  
  "Today many errors you can spot!"
Looks like Spanish? by cold+fjord · 2014-02-10 09:25 · Score: 1

We are well into the era of automated translation programs. I'm not sure that the language you see is necessarily what it was written in.
Having said that, I wonder if they considered Portuguese? Looks a lot like Spanish, and Brazil is a major power in malware.

--
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
1. Re:Looks like Spanish? by Omega+Hacker · 2014-02-10 09:28 · Score: 2
  
  Considering that *Kaspersky*'s press release opens with "Dominican Republic", I would guess the people writing it are probably pretty familiar with the difference.
  
  --
  GStreamer - The only way to stream!
2. Re:Looks like Spanish? by CanHasDIY · 2014-02-10 09:31 · Score: 1
  
  We are well into the era of automated translation programs. I'm not sure that the language you see is necessarily what it was written in.
  Having said that, I wonder if they considered Portuguese? Looks a lot like Spanish, and Brazil is a major power in malware.
  If you aren't writing your malware in Esperanto, you're not trying.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
It's called "The Mask"? by 93+Escort+Wagon · 2014-02-10 09:30 · Score: 3, Funny

Boy, that Jim Carrey is one talented dude...

--
#DeleteChrome
Publish It All On the Net by JimSadler · 2014-02-10 09:30 · Score: 1

I hope that all information that was gathered is published widely on the net and that all English versions are added. The public has a right to know.
a Spanish-language spyware attacks english grammer by Anonymous Coward · 2014-02-10 09:31 · Score: 1

apparently it targeted targeted slashdot too, via exploits that affected both submitters and editors
Sequence of The Mask events by WillAffleckUW · 2014-02-10 09:57 · Score: 1

1. Profit
2. Come up with reason for spying ...
4. Ask for authorization seven years later in secret cabinet meeting held in disused lavatory in sub-sub-basement of outmoded surplus warehouse.

--
-- Tigger warning: This post may contain tiggers! --
1. Re:Sequence of The Mask events by bughunter · 2014-02-10 11:11 · Score: 1
  
  There is no Five... Three! I mean three!
  
  --
  I can see the fnords!
2. Re:Sequence of The Mask events by sjames · 2014-02-10 16:00 · Score: 1
  
  No documents have been located responsive to your requect for information on 'Step #3'. Move along Citizen, nothing to see here.
Re:a Spanish-language spyware attacks english gram by mwehle · 2014-02-10 10:16 · Score: 1

And it attacks grammar to boot for Pete's sake!

--
Wir sind geboren, um frei zu sein - Rio Reiser
Spyware techniques and code? by DTentilhao · 2014-02-10 10:34 · Score: 3, Insightful

"Spanish-language spyware application that 'uses techniques and code that surpass any nation-state spyware previously spotted in the wild.'"

The linked to article seems a little short on details, what exactly makes these `techniques and code' surpass any spyware previously in the wild?
1. Re:Spyware techniques and code? by benjfowler · 2014-02-10 11:12 · Score: 2
  
  The infrastructure used to drive it was way beyond anything they've seen previously, even by ostensibe state actors; also, this sort of thing requires a lot of expensive and time-consuming legwork typically done by state intelligence agencies. The elite intelligence agencies do extensive research on their targets prior to using their weapons; they also maintain extremely high levels of operational sophistication, to the point where there is somebody with a finger on a trigger somewhere, figuring out what exploits they can risk using, depending on their assessment on how sophisticated their target will be.
  It's likely to be Spain, as their intelligence agencies' primary targets are North Africa and Latin America. Likely, their role in NATO means they've been tasked with keeping tabs on our swarthy kamikaze friends (terrorists, drug dealers, people smugglers) on the far side of the Straits of Gibraltar. And given how many people al-Qaeda murdered during the 11-M attacks in 2004, you can hardly blame Spain for muscling up.
2. Re:Spyware techniques and code? by kbrannen · 2014-02-10 11:58 · Score: 1
  
  Can we use (sadly) this as yet another reason Flash must die? How many examples of bad security will it take before kill Flash forever? (Yeah, I know, marketing doesn't care about security as long as it looks good.)
3. Re:Spyware techniques and code? by benjfowler · 2014-02-10 21:58 · Score: 1
  
  Off your meds, mate??
Re:The /. community is causing more damage than Be by bughunter · 2014-02-10 11:10 · Score: 1

The "awesomeness" of the commentariat departed a long time ago. What was once "awesome" is now merely "occasionally insightful or informative."
But yes, the signal to noise ratio is plummeting even further with all of the Beta whining.

--
I can see the fnords!
Re:spearphishing emails by benjfowler · 2014-02-10 12:09 · Score: 1

Maybe antivirus firms in Western countries will turn a blind eye to military malware coming from Western governments.
OTOH, Eugene Kaspersky is Russian, and is politically connected to Vladimir Putin and his entourage, none of whom have a lot of time for NATO...
Re:Where's the beef? by ozmanjusri · 2014-02-10 13:26 · Score: 4, Informative

I would like to know what is meant by "affecting...Linux".
You're right to question the FUD.
SecureList has a MUCH better story that makes it clear "Careto" is closer to a precision-targeting crackers' toolkit rather than typical Windows malware (they have identified a total of 380 unique targets so far). It didn't just use the Flash vulnerability, but had multiple vectors, including Chrome plugins and social engineering techniques.
From their FAQ:

Is this a Windows-only threat? Which versions of Windows are targeted? Are there Mac OS X or Linux variants?
So far, we observed Trojans for Microsoft Windows and Mac OS X. Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers, but we have not yet located the Linux backdoor. Additionally, some of the C&C artifacts (logs) indicate that backdoors for Android and Apple iOS may also exist.
Have you seen any evidence of a mobile component - iOS, Android or BlackBerry?
We suspect an iOS backdoor exists but we haven't been able to locate it yet. The suspicion is based on a debug log from one of the C&C servers where a victim in Argentina is identified and logged as having a user agent of "Mozilla/5.0 (iPad; CPU OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B329". This appears to indicate it is an iPad, although without a sample, it's hard to be sure.
In addition to this, we also suspect the existence of an Android implant. This is based on a unique version identifier sent to the C&C which is "AND1.0.0.0". Communications with this unique identifier have been observed over 3G links, indicating a possible mobile device.
http://www.securelist.com/en/b...

--
"I've got more toys than Teruhisa Kitahara."
Re:It does, usually. (No) by TaoPhoenix · 2014-02-10 14:43 · Score: 1

Oh hello Soulskill, nice to see you in the comments.
Unfortunately "last few days are hectic" isn't remotely close to right. Last Few Years, if you wheeled out that excuse. But no, don't do that either. "Last Few X is Hectic" is a tired phrase now that Big Bad Dice owns you and you have lots of firepower to add!
Uh... oh. Wait. I just heard 3rd hand they just decided both you AND us are ... worth zero!
So what exactly are any of us here doing with a value of Zero? Can you buy them out with a Dollar? (Rhetoric, Wall Street Shenanigans may apply.)
I'll leave the extended comedy routines to others. X of us see a value in a quiet eddy current called Slashdot. Since your value is officially zero, why again exactly are you going with Beta?
Plus, I asked months/a year ago about exporting existing comments out of Slashdot but you/They made sure that was never close to a possibility... really now? Data Capture? I calculate I have almost 100 blog topics stored in raw material here. But no. You gang NEVER made ANY easy export tools under ANY management even BEFORE Dice.
So I'm not going all Swearword-Beta. I'm attacking different problems. But still unhappy.
Yours,
--Tao

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Surpasses nation-state code? by Tony+Isaac · 2014-02-10 16:07 · Score: 1

After watching the healthcare.gov debacle, it would seem that surpassing nation-state-created software is a very low hurdle!
1. Re:Surpasses nation-state code? by hink · 2014-02-11 02:45 · Score: 1
  
  *rimshot*
  
  --
  - speaking only for myself, as always
Re:It does, usually. (No) by Soulskill · 2014-02-10 16:34 · Score: 1

Plus, I asked months/a year ago about exporting existing comments out of Slashdot but you/They made sure that was never close to a possibility... really now? Data Capture? I calculate I have almost 100 blog topics stored in raw material here. But no. You gang NEVER made ANY easy export tools under ANY management even BEFORE Dice.
That's actually much closer to reality now than it's ever been. Hopefully it's something we can get finished soon, but we have a lot of work ahead of us yet. I'm sorry things are slow.

Big Bad Dice owns you and you have lots of firepower to add!
Despite popular sentiment, Dice hasn't taken to Slashdot with a heavy hand. Our engineering team is not much bigger now than when they bought us. Coming up to speed on this codebase is very much not trivial, so even if they sent us a dozen developers tomorrow, it'd be a while before their impact was felt. And the mythical man month, etc.
Re:spearphishing emails by RandomFactor · 2014-02-10 16:47 · Score: 1

Even the mass malware distributions take basic precautions these days like excluding VMs, all known AV Vendor IP ranges, and not being malicious while the email is in transit (a link may not begin serving malicious content until hours later, when targets are arriving at the office, and may stop again afterwards.). You can analyze those links all year long if you aren't the target.

--
--- Mercutio was right.
Re:spearphishing emails by benjfowler · 2014-02-10 22:01 · Score: 1

Uuuugh. Looks like I've got myself a creepy internet stalker.
Sorry to disappoint you, pal. I'm straight.
There...are...four...lights!!! by xxxJonBoyxxx · 2014-02-11 02:08 · Score: 1

There...are...four...lights!!!
Re:The /. community is causing more damage than Be by BlueKitties · 2014-02-12 04:30 · Score: 1

Of course I get moderated as "offtopic," meanwhile the floods of "fbeta" are all +5. Even the moderation system is becoming a joke.

--
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]