Sophisticated Careto Virus Discovered – Attackers infect via Phishing.

Tampa, FL and Galway, Ireland – 19th Feb  2014. The weather is almost too warm in Sochi for the Olympics.  One needs adequate packed powder snow to ski, or at least to ski safely—instead, in Sochi, they have ice, plus clouds.  Clouds make it difficult to see where you are going: when the sky and the ground are the same colour, you cannot distinguish heaven from earth.  It is easy to get disoriented and suffer the sensation of not knowing whether you are skiing across the snow or floating above it.

But in Moscow, there is plenty of snow.  There at Kaspersky (which is one of the anti virus solutions included with SpamTitan anti spam), security researchers and antivirus software developers are hunkered down in the double-paned-windowed-warmth of a Moscow winter, working long hours to find, expose, and the contain computer viruses.   

What they found this week was Careto.  This virus was lurking in the same place as a related virus found a few years ago. Kaspersky published a detailed forensic report to explain what they found. Some of this forensics you could have done yourself; other is much more complex.  For example, they use the Linux program “strings” to extract text from the executable file.  There they found comments and instructions that the programmer had written in Spanish, plus the name of the virus itself: Careto.

Servers used by attackers revealed 380+ victims from 31 countries. 

Kaspersky says this Spanish word means “ugly face” or “mask”.  According to Kaspersky ‘What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone)’. It’s believed that some foreign government paid to develop the virus, because it works on so many systems, suggesting a large team and much effort.  Data found by investigating and monitoring a set of command-and-control (C&C) servers used by the attackers revealed more than 380 unique victims from 31 countries. The main targets were government organisations including embassies, energy, oil and gas companies, research institutions, and activist’s and private equity firms.

Careto spreads using phishing. If you clicked on a mail containing their malicious link, you would have been sent to mock-up copies of El Pais, The Washington Post, El Especatdor, El Mundo, and Publico newpapers.  The actual link is hidden.  It says, for example: elpais.linkconf(dot)net.  Careto infected some computers by exploiting a weakness in the 2012 version of Adobe Flash (Flash is used to display video in certain web pages.). The other attack was made by hiding an executable program in an otherwise harmless .jpeg picture file.  The names are: dinner.jpg, waiter.jpg, and chef.jpg.  

For victims a Catero malware infection spells disaster.

The virus intercepts all communication channels and collects information from the victim’s machine. Once installed, the virus steals encryption keys, records Skype calls, transcribes what you type, and listens in on data coming to and from your device. It then sends these stolen passwords, email addresses, and bank account numbers, and other secrets to a set of command and control servers, controlled by the hackers.  One of these was found running inside a SoftLayer data centre, a cloud-service provider.

Detection is difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules. Having made their discovery, Kaspersky was able to follow the virus’s forensic clues to show what computers were affected and provide lots of details about where the virus came from.  Kaspersky Lab’s products detects and removes all known versions of The Mask/Careto malware so you are safe from Careto when using SpamTitan anti spam.  

SpamTitan anti spam for business wins 26th Virus Bulletin award easily

Galway, Ireland and Tampa, FL – February 6th 2014. The powerful email security solution SpamTitan continues to get top spam detection rates and excellent performance in the latest Virus Bulletin Test which took place in January 2014. SpamTitan hasn’t missed a Virus Bulletin comparative since 2009, and has maintained an impressive spam catch rate, false positive rate as well as keeping the VB team happy with good design and reliable performances.

According to Virus Bulletin test director Martin Grooten ‘with a spam catch rate of 99.73%, SpamTitan performs very well out of the box. A 26th consecutive VBSpam award is something to be proud of’. This time 18 full solutions were tested and this was the first time the new SpamTitan 6.00 version of the virtual appliance was tested. Read more about SpamTitan's recent awards.