Comments?

http://arstechnica.com/security/2014/02/meet-mask-posssibly-the-most-sophisticated-malware-campaign-ever-seen/

From the link:

They're tailored threats that are aimed as specific people or organizations who possess unique data or capabilities with strategic national or business value.
...
The attackers relied on highly targeted spear phishing e-mails to lure targeted individuals to malicious websites. ...
I'm safe ;)

Don't run Java in your browser.

Okay. Explain this to me. How does just visiting a website infect ones computer? I mean, crikey, if it's really that easy, why bother? And what are we talking about? Is javascript as much a threat as java (I know they're very different)?

Don't run Java in your browser.

"One of the exploits recently used by the attackers targeted CVE-2012-0773 (http://www.adobe.com/support/security/bulletins/apsb12-07.html), a highly critical vulnerability in Adobe's Flash Player that made it possible to bypass the sandbox security protection Google Chrome and other browsers rely on to prevent websites from executing malicious code on end-user computers."

So, are you asserting that the "malicious code" was java-based? In other words, the malware used a security hole in Adobe Flash Player to execute java?

Vulnerabilities exist in unpatched versions of Oracle's Java JRE, in Adobe's Flash Player, and some other stuff. OK. That's common knowledge, and that's why it's important to keep software up-to-date, right?

Javascript is so widely used online that most people have it enabled. That makes it a useful scripting language for attackers to use when probing for exploitable vulnerabilities. Again, we all know about this.

So yes: if you visit a website and you have unpatched and vulnerable software on your computer, then it's possible to get hit with malware without doing anything much. An Javascript routine runs when the page loads, and if it finds a wide-open hole it can shove malware down the pipe to your PC. If you have Javascript disabled, it's much less likely that will happen, I believe. If you run Linux, then it's very likely the designer will have to get you to participate somehow in the malware installation. On the other hand, older and insecure versions of Windows, particularly, are more likely to allow silent download-and-run malware attacks. At least, that's my impression.

I can't find much yet on the exact exploits The Mask used, other than the reference to Flash. Some of the spear-phishing directed victims to videos, which could point to an exploit of vulnerable versions of Flash. My guess is that, over the 7 years of its operating life, The Mask attempted to exploit a number of different vulnerabilities. Given its reputed sophistication, and the active involvement of its controllers (the control servers were shut down very fast once Kaspersky discovered the malware), I imagine there were frequent upgrades to the malware as old vulnerabilities were patched and new exploits found.

Edit because I just remembered: It seems that I've read of an exploit in which the victim goes to a Flash video site. Could look completely legit. When the video starts to load a message appears -- "You need to update Flash to view this video." Completely bogus: when the victim clicks "OK" then he has just given permission to install not a Flash upgrade but a malware package. This is not a Flash vulnerability, it is an attack based on social engineering (and loose permission control, common in earlier versions of Windows).