How the Careto Malware Works (For Dummies) and How to Stay Safe on the Internet

A Short Story On My Technophobia

I remember one day I was fiddling around with drivers for an HP printer I had, when it started spitting out Wingdings characters.

Wingdings characters

Then it dawned on me. This was code!

Skip my childhood anecdote and get to the explanation.

Of course, it wasn't, but for the next couple of years I thought that's what the end result of programming was: endless strings of symbols. Who was smart enough to memorize what each individual symbol meant? I wrote it off as an impossible feat for only the nerdiest of nerds, so I never bothered exploring further. It definitely didn't interest me.

I guess looking back at that now, conceptually I wasn't too far off. That's sort of what programming is, right?

Scary virus guy from Alone in the Dark

Then, I discovered viruses. Man was that shit scary. It was an episode of "Are You Afraid of the Dark?" entitled "The Tale of the Renegade Virus" that furthered my beliefs that a computer was this big box of magic that could be used for good... or evil. 90s outfits and hair styles aside, the episode is funny now, but it was scary as hell for a kid.

I had this thing back then (and still do actually) where I liked to scare the shit out of myself. So it didn't help things much when I would frequent the black corners of the Internet deliberately seeking viruses to download. Just so I could see what would happen. Morbid curiosity.

Every day it was me vs. my IBM Aptiva. Who would be the victor that day? Would I be able to continue to repair the damage I'd caused and bend it to my will via endless onslaughts of Norton AntiVirus scans and Disk Doctor maintenance? Or would the viruses finally get the upper hand...?

Wikipedia defines Technophobia as such:

Technophobia (from Greek τέχνη - technē, "art, skill, craft" and φόβος - phobos, "fear") is the fear or dislike of advanced technology or complex devices, especially computers.

Technophobia was stamped into my soul for good the night I had to install additional memory in my IBM (I believe to be able to run the latest version of one of the many Norton products I had my parents invest in to aid my self-inflicted war on terror). Back then, there was no fail-safe mechanism to prevent you from installing memory in backwards and sure enough, I installed it backwards and the machine went NUTS. Colors, sounds, garbled text all over the place. It felt like 4AM when this all went down, but it was probably more like 8:00PM. I shut that shit down, fixed the problem, and retreated to my room.

Until I wrote that paragraph above, no one ever knew what happened that night.

So... where is this all coming from? I was up late last night paging through my RSS feed when I happened upon a 65-page PDF from Kaspersky Labs (they are a computer security company that makes anti-virus products) detailing one of the most complex malware programs ever created. It reminded me of my technologically troubled childhood and how as a Computer Science grad and programmer I've come full circle with my phobia. Well I can't say I'm completely fearless, but I've definitely uncovered a lot of the mystery :)

Careto, or the mask

Anyway, the malware is called "Careto", which apparently is Spanish slang for "ugly face" or "mask". Kaspersky has called it "The Mask", and aptly named, because it is a malware that masks itself from being uncovered, even by the most prying of eyes. It wreaks completely invisible havoc on your machine, making off with all of your sensitive data.

I'm going to give a super simplified explanation of how it works and what it does. I hope this serves as a reminder to the less technologically savvy of just how freaking important taking basic security precautions are (like having an anti-virus program and not clicking on links in emails of whose origin you are not 100% certain).

What's Careto?

Neckbeard gamer

Careto is a bunch of evil computer programs that work together to do some really bad things to infected computers. Because of how sophisticated and meticulous the technology is, they believe that it may be the work of a nation state (meaning that this was a financially funded venture). That and the operation was probably a bit more extensive and the team much bigger than just some social outcast hiding out in his parents basement with pizza boxes scattered about.

They also believe those who wrote the code for these programs are native Spanish speakers (or at least they want us to think so) because of the language some of the code's documentation is written in. The main targets of the Careto campaign are as follows:

  • Government institutions
  • Diplomatic/embassies
  • Energy, oil and gas
  • Private companies
  • Research institutions
  • Private equity firms
  • Activists

...across 380 unique victims in 31 countries. It has been working undiscovered for five or more years. It's interesting that Spanish is spoken in the code's documentation and instructions, because languages other than Chinese are rarely seen in programs similar to Careto (that is, evil ones). I guess the Chinese are really into evil programs.

Donald Trump apprentice

Now you probably aren't one of these target companies, but you might work at one. And I'm guessing you could lose your job or something if your computer was infected. Well, if I was boss I'd probably fire you. Why? When infected, Careto can:

  • See what you are searching on the Internet
  • See what you are typing
    • This includes everything from passwords to chats to credit card numbers
  • Steal Skype conversations
  • See what you are looking at on your screen
  • Steal files
    • Remember: these can include iPhone photos, which may contain location information in them. Attackers could potentially find out where you live!

...that's a royal pain in the ass for any company, especially those that work with a lot of confidential information, or who work with clients with a lot of confidential information.

One of the most interesting things about Careto is the great lengths the programmers went to hide their tracks and disguise their evil software as legitimate good software. They were exceptionally thorough about making their code work stealthily, which is uncommon in other malware.

How Does Careto Work?

  • Step 1: An attacker sends you an email with a link in it. This link is disguised as a popular news site, like The Guardian or The Washington Post.
  • Step 2: Clicking the link opens your web browser and goes to an evil URL that downloads a file that is digitally signed with a seemingly innocuous valid certificate (but from company that turns out to be fake).
  • Step 3: The program extracts itself to your hard drive and injects its programs into the web browsers installed onto your computer. This can include Internet Explorer, Chrome, and Firefox.
  • Step 4: Once inserted into the code of your web browsers, whenever you browse the Internet as you normally would, the malware now has the capability to silently contact what they call a "command and control" website. This is very, very bad.
  • Step 5: Once contacted by the malware installed on your computer, the command and control website responds to the malware with evil commands to run on your system. The danger with this architecture is that the command and control website can respond with arbitrary commands to run and arbitrary files to install, so it can literally do anything it wants to on your computer, including install new malware or update the current malware to make it even more effective in avoiding detection by anti-virus programs as they improve.

It's important to keep in mind that all of the actions taken by the malware in the above steps are stealth. Any files created by the malware, it cleans up. Any variables it uses in memory are destroyed when no longer in use. It also ensures to use names for files that would normally be installed on your computer, not something like BIG-BAD-VIRUS.exe.

You would have no idea any of this is going on. Not even computer security pros would. After all, what evidence would they have that something is amiss in the first place? They would never prompted to look deeper if nothing looked awry.

What Makes Careto Different Than Most Malware?

In general, this is how most malware work. What sets Careto apart is:

  • Its ability to conceal and cleanup after itself
  • The fail safes it has in place in case it has trouble working on a particular system
  • Its ability to infect machines of almost any operating system, including mobile platforms. That means Windows, OS X, Linux, Android, and iPhone
  • The extent to which it employs encryption to cover its tracks
  • The care its developers went to ensure the malware package passed SSL certificate checks
  • The steps the malware developers went through to ensure that security and anti-virus companies could not contact command and control servers to learn about them to improve their products to detect and remove the software

How Can I Protect Myself Against Careto And Similar Malware?

ClamXAV for Mac

Keeping your computer secure is like flossing or working out: it's a chore to do, but it can save you a lot of problems someday (like gum and heart disease). Fortunately, the steps you can take to make sure you're protected are very basic, and you don't need to be a computer whiz to take action on them. Let's have a look:

  1. Don't open/click anything from strangers: It may be old fashioned, but if you think something is from a friend, but aren't 100%, call them up and ask. Saving your identity from being stolen is worth the time, isn't it?
  2. Keep your eyes peeled for suspicious web/email addresses: This is an easy one. For example, if you have an account at, say, apple.com, make sure any correspondence sent to you by Apple is sent from an official @apple.com email address. Often times attackers try to disguise nefarious addresses cleverly, like "@app1e.com". Check the sender address, even if the email looks like a legit Apple email!
  3. Have a good anti-virus program installed: Even if you're on a Mac. Better safe than sorry, right? Check out ClamXav (free) for the Mac and Microsoft Security Essentials for Windows (also free, and now built-in on Windows 8 I believe).
  4. Use a VPN: VPN stands for virtual private network, and is something that can help your computer establish a secure tunnel to the Internet, which becomes more important when using public WiFi (like at coffee shops, airports, or hotels; although you should avoid these when you can). Cloak (paid) for Mac is awesome and super simple to use (and their founders are great people as a bonus). For those who are a little more tech-savvy, Private Internet Access (paid) for Mac & Windows is a good deal cheaper, though not quite as easy to use.
  5. Use browser extensions: Some browser extensions help facilitate safer browsing on the Internet, but be sure to download them from a reliable source like the Google Chrome Web Store. In particular, check out:
    • Adblock Plus - Does like the name says, blocks ads
    • Disconnect - Blocks social website trackers, and forces websites to use secure connections
    • Extension Defender - Makes sure none of the extensions you download have nefarious intentions
    • Ghost incognito - Allows you an easy way of opening up a private Internet browsing session where no cookies/history are saved on your computer
    • Ghostery - Works similarly to Disconnect, but can block a wider range of trackers I believe
    • HTTPS Everywhere - Forces websites to use secure connections
    • Web of Trust - Helps you identify secure sites by utilizing experience data from other web surfers like you around the world
  6. Use a password manager: To help you make more secure passwords (and to help you keep track of them). 1Password for Mac and Windows is a super option, and a piece of software I can't live without. LastPass is another option I haven't tried, but have heard good things about.
  7. Implement two-factor authentication: Find out which of your online accounts offer two-factor authentication, and enable it on them! Two-factor authentication means logging in not only with a password, but with an automatically generated key as well, usually created by a program on a device like your iPhone. Check out which services offer two-factor here.
  8. Keep anti-virus programs, operating systems, and web browsers up-to-date: Setup automatic updates so you don't have to worry about manually updating.

At the end of the day, the most effective strategy by far is to just remain vigilant about what you consume on your computer. No piece of software will protect you as much as good judgment will.

99% of the time it won't be you who is the target of an attack. But the 1% of the time that it is can make your life a living hell in this ever-connected world if you're not prepared.

If you are looking for more advanced ways to stay safe online, contact me in the comments or subscribe to my newsletter so I can help you out.

Thanks to Kaspersky Lab for their awesome research and resulting article.