Most of the early Internet malware were simple programs created by bored amateurs. But it's not 1999 anymore. As the Internet has grown more sophisticated, so has malware. A new report from Kaspersky labs dissects what could be the most sophisticated malware yet discovered in the wild.
The software, dubbed Careto, is a sophisticated suite of tools for compromising computers and collecting a wealth of information from them. Whoever is behind the malware sends out "spear phishing" e-mails, with addresses designed to be mistaken for the Web sites of mainstream newspapers, such as The Washington Post or the Guardian. If the user clicks on a link, it takes her to a Web site that scans her system for vulnerabilities and attempts to infect it. There are multiple versions of the malicious software designed to attack Windows, Mac OS X and Linux versions, and Kapersky believes there may be versions that attack iOS and Android.
Once Careto has compromised a system, it begins collecting sensitive information from it. The software can "intercept network traffic, keystrokes, Skype conversations, analyse WiFi traffic, PGP keys, fetch all information from Nokia devices, screen captures and monitor all file operations."
It can also capture any encryption keys found on the machine, which can help launch attacks against other machines. The software has a plug-in architecture, allowing the attacker to dynamically load new software to perform tasks such as monitoring keystrokes or capturing the victim's email.
Early malware spread uncontrolled from computer to computer. In contrast, Careto is highly targeted. Kaspersky was able to gather data about who was subject to attacks. Most of the attacks targeted government institutions, embassies, oil and gas companies, research organizations, private equity firms and activists.
Computers around the world were targeted, with no apparent pattern:
So who's behind the malware? It's likely that only national intelligence agencies have the resources to build software of this complexity and sophistication. Fragments of Spanish embedded in the software's files suggest that the culprit is a native Spanish speaker. But it's not clear which Spanish-speaking nation would build such a sophisticated intelligence operation. And the researchers note that the fragments of Spanish may be a "false flag" operation: The software's authors may have deliberately inserted Spanish slang into the software's source code to divert attention from the real authors.
Regardless, the emergence of the malware underscores that software-based espionage is an important new source of power. Last year, documents leaked by Edward Snowden revealed that the National Security Agency has a large "Tailored Access Operations" department dedicated to building offensive hacking capabilities. If the NSA didn't build Careto, it's a safe bet that they have something like it. And intelligence agencies in China, Russia and other great powers are likely working on software like it too.