NSA 'probably developing Mask-type malware'

News by Steve Gold

"Logic suggests that the NSA is developing its own cyber weapons. It has its own malware, and its own C&C servers" says Sarb Sembhi, Incoming Thought Analyst.

A leading security analyst says that the Mask malware - identified earlier this week as quietly hitting victim company computers for around seven years without detection - may be mirrored by parallel darkware code developed by government agencies like the NSA for use in state-sponsored attacks.

As reported previously, Mask was discovered recently by Kaspersky Lab as hitting targets in more than 30 countries and infecting at least 380 separate organisations. The malware uses several techniques to compromise PCs and servers, reportedly tapping various undocumented vulnerabilities in software to ensure success.

Sarb Sembhi, an analyst and director of consulting with Incoming Thought, says that Kaspersky's assertion that Mask may have been created by a nation state - to assist in spying activities - makes a lot of sense, but adds that it is likely that other versions of attacking malware have almost certainly been created by agencies such as the NSA.

"It stands to reason that, if cyber criminals are developing complex attack code, then government agencies like the NSA are also developing equally powerful invasive programs as well. The key question I would ask is, why is it a surprise that malware like Mask is around?" he said.

"I well remember being infected by the Nimda worm around 2001, even though I had protection in place. That was 13 years ago, so it stands to reason that both black and white hackers will have upped their game since then," he added.

The Nimda worm was one of the first worms capable of executing code  without the user even opening the email. It was also the first to modify websites to inject copies of itself for download - and included a viral component that infects executable files.

Sembhi went on to say that Nimbda was a complex and highly sophisticated piece of code, so it fairly obvious that today's darkware code - as illustrated by Mask - will be even more complex and capable of escaping detection by enterprise security systems.

"There is a clear analogy here between the NSA's use of malware and military commanders in a battle. Both sides of the conflict will be making extensive usage of their available resources, and it is the same between cyber criminals and nation states," he said.

"And it is not just malware that government agencies like the NSA are creating. They will also be mirroring the cybercriminals in harvesting Command&Control servers for their own use. It is clear that NSA will be as innovative, if not more so, than the cybercriminals. The Mask malware is likely to be just one of several attack programs being used by government agencies," he added.

The Incoming Thought analyst backs up his assertion with the observation that the NSA has reportedly refused to agree to a spying technology truce with its allies. 

"Logic suggests that the NSA is developing its own cyber weapons. It has its own malware, and its own C&C servers," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews