Sophisticated Spy Tool 'The Mask' Rages Undetected For 7 Years

← Back to Stories (view on slashdot.org)

Sophisticated Spy Tool 'The Mask' Rages Undetected For 7 Years

Posted by samzenpus on Monday February 10, 2014 @09:06AM from the protect-ya-neck dept.

thomst writes "Kim Zetter of Wired's Threat Level reports that Kaspersky Labs discovered a Spanish-language spyware application that 'uses techniques and code that surpass any nation-state spyware previously spotted in the wild.' The malware, dubbed 'The Mask' by Kaspersky's researchers, targeted government agencies, diplomatic offices, embassies, companies in the oil, gas and energy industries, research organizations, and activists. It had been loose on the Internet since at least 2007 before being shut down last month. It infected its targets via a malicious website that contained exploits — among which were the Adobe Flash player vulnerability CVE-2012-0773, affecting both Windows and Linux machines. Users were directed to the site via spearphishing emails."

14 of 98 comments (clear)

Min score:

Reason:

Sort:

Editing? by bigjocker · 2014-02-10 09:10 · Score: 4, Insightful

This is ridiculous. What kind of editor publishes a note so badly written? You should at least read summaries out loud to see if you would look like an idiot. That would have certainly worked in this case. At least add a preview button for summaries like you do for comments for pete's sake.
Hoy many errors can you spot?
"Kim Zetter of Wired's Threat Level reports that Kaspersky Labs discovered a Spanish-language spyware application that employs "uses techniques and code that surpass any nation-state spyware previously spotted in the wild." The malware, dubbed "The Mask" by Kaspersky's researchers, targeted targeted government agencies, diplomatic offices, embassies, companies in the oil, gas and energy industries, and research organizations and activists had been loose on the Internet since at least 2007, before it was shut down last month. It infected its targets via a malicious website that contained exploits — among which were the Adobe Flash player vulnerability CVE-2012-0773 — that affected both Windows and Linux machines. Users were directed to the site via spearphishing emails."

--
Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
1. Re:Editing? by TechyImmigrant · 2014-02-10 09:14 · Score: 5, Funny
  
  4.
  5 if you include "Hoy many errors can you spot?"
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
2. Re:Editing? by Anonymous Coward · 2014-02-10 09:26 · Score: 5, Insightful
  
  Not the OP here, but you are wrong. Good luck next time.
  1) "badly written" is acceptable
  2) "would" is correct, your "correction" of "will" is wrong.
  3) This/That is interchangeable.
  4) Now you just look like an idiot.
  5) I'm not even going to bother.
  You have five corrections but you only count four?
3. Re:Editing? by gerddie · 2014-02-10 09:44 · Score: 4, Funny
  
  You have five corrections but you only count four?
  He's probably from the Spanish inquisition.
4. Re:Editing? by Chris+Mattern · 2014-02-10 10:04 · Score: 3, Informative
  
  Rumor has it that Alexander Graham Bell wanted everyone to answer the telephone by saying "Ahoy hoy."
  Which is not as ridiculous as it sounds. "Hello" was not a common greeting before it became standardized as the way to answer a phone.
5. Re:Editing? by Soulskill · 2014-02-10 10:15 · Score: 2, Informative
  
  I just updated the summary with grammar fixes. Thanks for pointing it out.
6. Re:Editing? by Soulskill · 2014-02-10 11:54 · Score: 2
  
  To be fair, the English language had it coming.
7. Re:Editing? by itsthebin · 2014-02-10 16:34 · Score: 2
  
  I suggest you meant "Spanish acquisition "
  
  --
  ...I obey the laws of physics....
"hoy" is a perfectly cromulent word by Thud457 · 2014-02-10 09:18 · Score: 5, Funny

Merely punctuational errorification:

Hoy! Many errors you can spot!

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re:Looks like Spanish? by Omega+Hacker · 2014-02-10 09:28 · Score: 2

Considering that *Kaspersky*'s press release opens with "Dominican Republic", I would guess the people writing it are probably pretty familiar with the difference.

--
GStreamer - The only way to stream!
It's called "The Mask"? by 93+Escort+Wagon · 2014-02-10 09:30 · Score: 3, Funny

Boy, that Jim Carrey is one talented dude...

--
#DeleteChrome
Spyware techniques and code? by DTentilhao · 2014-02-10 10:34 · Score: 3, Insightful

"Spanish-language spyware application that 'uses techniques and code that surpass any nation-state spyware previously spotted in the wild.'"

The linked to article seems a little short on details, what exactly makes these `techniques and code' surpass any spyware previously in the wild?
1. Re:Spyware techniques and code? by benjfowler · 2014-02-10 11:12 · Score: 2
  
  The infrastructure used to drive it was way beyond anything they've seen previously, even by ostensibe state actors; also, this sort of thing requires a lot of expensive and time-consuming legwork typically done by state intelligence agencies. The elite intelligence agencies do extensive research on their targets prior to using their weapons; they also maintain extremely high levels of operational sophistication, to the point where there is somebody with a finger on a trigger somewhere, figuring out what exploits they can risk using, depending on their assessment on how sophisticated their target will be.
  It's likely to be Spain, as their intelligence agencies' primary targets are North Africa and Latin America. Likely, their role in NATO means they've been tasked with keeping tabs on our swarthy kamikaze friends (terrorists, drug dealers, people smugglers) on the far side of the Straits of Gibraltar. And given how many people al-Qaeda murdered during the 11-M attacks in 2004, you can hardly blame Spain for muscling up.
Re:Where's the beef? by ozmanjusri · 2014-02-10 13:26 · Score: 4, Informative

I would like to know what is meant by "affecting...Linux".
You're right to question the FUD.
SecureList has a MUCH better story that makes it clear "Careto" is closer to a precision-targeting crackers' toolkit rather than typical Windows malware (they have identified a total of 380 unique targets so far). It didn't just use the Flash vulnerability, but had multiple vectors, including Chrome plugins and social engineering techniques.
From their FAQ:

Is this a Windows-only threat? Which versions of Windows are targeted? Are there Mac OS X or Linux variants?
So far, we observed Trojans for Microsoft Windows and Mac OS X. Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers, but we have not yet located the Linux backdoor. Additionally, some of the C&C artifacts (logs) indicate that backdoors for Android and Apple iOS may also exist.
Have you seen any evidence of a mobile component - iOS, Android or BlackBerry?
We suspect an iOS backdoor exists but we haven't been able to locate it yet. The suspicion is based on a debug log from one of the C&C servers where a victim in Argentina is identified and logged as having a user agent of "Mozilla/5.0 (iPad; CPU OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B329". This appears to indicate it is an iPad, although without a sample, it's hard to be sure.
In addition to this, we also suspect the existence of an Android implant. This is based on a unique version identifier sent to the C&C which is "AND1.0.0.0". Communications with this unique identifier have been observed over 3G links, indicating a possible mobile device.
http://www.securelist.com/en/b...

--
"I've got more toys than Teruhisa Kitahara."