Your link to over 200,000 educational videos 40,000 Free Ebooks
& Textbooks
Over 1 Million Blogs Thousands of
Free Courses
Hundreds of
Audio Ebooks
Greatest Speeches (multimedia)
Today's News & Analysis Create your own
online videos
Millions of Free
Research Articles
About IEI-TV.Net
Free English as
Foreign Language 
Become an IEI-TV.Net
affiliate FREE!
HOME Live online webinars,
TV & radio

 © COPYRIGHT 2013 International Education Institute, ATTN: Ken Harvey, 2027 W. Canal Drive, Kennewick WA 99336, USA

David Meyer
According to Kaspersky Lab, a malware bundle dubbed “The Mask” was used to spy on government institutions, activists and energy companies across 31 countries for years. Here’s what it did, and where it might have come from.
Read more:

Spying / privacy / peeping tom / peeping through

The Russian security firm Kaspersky Lab announced late Monday that it had uncovered what it calls “The Mask”, a bundle of cyber-nastiness that was apparently used to spy on people for as much as 7 years.

Here’s a primer on what The Mask was apparently capable of, and the hints we have as to its origins.

What’s in the box?

The Mask was what is classified as an “advanced persistent threat” (APT). Other examples of APTs include Stuxnet, an Israeli-American worm (according to many sources including Edward Snowden) that was used to sabotage Iran’s uranium-enrichment efforts, and related malware such as Duqu and Flame.

According to Kaspersky, The Mask included “an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS.” Versions for 32-bit and 64-bit Windows were also in there.

Who got hit and how?

At least 380 victims in 31 countries, mostly government institutions, activists, diplomats, energy companies and research organizations. The Mask siphoned off documents, encryption keys, Skype conversations, keystrokes and so on.

This was a very stealthy and pervasive tool set, able to tap into all the target computer’s communications channels. It had several vectors of transmission, including a flaw in Adobe Flash that has since been fixed, and older versions of Kaspersky’s security products (which was how Kaspersky spotted the thing in the first place).

Generally, victims clicked on dodgy links in emails that took them to websites with malware waiting in hidden folders. These were sometimes disguised as subsections of online newspapers such as El Pais and El Mundo, but also non-Spanish publications including Time, The Guardian and The Washington Post. Apart from spying, the malware also set up a channel through which other modules of unpleasantness could be uploaded.

Who would do such a thing?

Almost certainly an intelligence agency or some other state-sponsored outfit. According to Kaspersky Lab research director Costin Raiu, this thing is too sophisticated to come from a criminal group:

“Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment.”

Why “The Mask”?

Because the code contains the word “careto”, which is a Spanish slang term for “ugly face” or “mask”. Kaspersky actually uses “Careto” as the name for one of the two backdoor implants included in the package, with the other being “SGH.”

There are also other terms in there that point to a Spanish-language connection, such as “Caguen1aMar”, which appears to be a contraction of an expression referring to someone defecating in the sea. One of the command-and-control (C&C) server domains was also apparently registered to an Argentinian.

Add to this the frequency of Spanish newspapers in the attack vector, and it does appear there is some connection to the Spanish-speaking world. That’s not an established fact, however – the authors could have dropped in such hints to obfuscate The Mask’s true origins.

According to Kaspersky, it is very rare to see the Spanish language used in APT attacks – Chinese is much more common.

Should I be scared?

Kaspersky said the C&C servers were shut down as part of its investigation, so The Mask probably isn’t going to get you. If you’re in that reasonably limited target group, however, there’s every chance that a variant is out there, as is the motive.

In short, the moral of the story is: don’t click on dodgy links in emails. But you knew that anyway, right?