Vulnerabilities / Threats
10/16/2012
11:53 AM
Connect Directly
RSS
E-Mail
50%
50%

Meet Flame Espionage Malware Cousin: MiniFlame

Suspected Flame module turns out to be standalone attack code in use since at least 2010, described as targeted cyberweapon for conducting in-depth surveillance and espionage.

Ongoing teardowns of the Flame malware and its underlying components have yielded a surprising discovery: a new piece of malware.

Security researchers at Kaspersky Lab said that what they previously suspected was an attack module for the Flame malware is instead a standalone piece of attack code, although it can do double duty as a plug-in for both the Flame and Gauss malware. Designed for data theft and for providing attackers with direct access to an infected system, MiniFlame is based on the same architectural platform as Flame, according to Kaspersky Lab.

"MiniFlame is a high-precision attack tool," said Alexander Gostev, chief security expert at Kaspersky Lab, in an emailed statement. "Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack ... to conduct more in-depth surveillance and cyber-espionage."

[ Could a cyber arms agreement help forestall cyber warfare? See The Case For A Cyber Arms Treaty. ]

The MiniFlame code had previously been referred to as "SPE" in Flame's command-and-control (C&C) server code, but not found in the wild. "The samples appear to have remained unobserved for so long due to their highly targeted nature, however one more of those protocols has been identified and found to be in use," read a blog post from Symantec. The security company said that it's now updated its antivirus software to spot and block the MiniFlame malware, which it's dubbed "W32.Flamer.B."

Just how highly targeted is MiniFlame? Kaspersky Lab estimates that only 50 to 60 machines in the world have ever been infected by the malware. "These are highly focused attacks--what people call advanced, persistent threats--that are designed to fly under the radar and not be found," Eric Byres, CTO and VP engineering at Tofino Security, which is owned by Belden, said via phone. "In the old days, when someone created malware, it practically broadcast its presence. Today it's narrow, focused, and targeted, and darned hard to find."

Here's what the malware can do: Once installed, MiniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine, according to research from Kaspersky Lab. The malware can also capture screenshots from infected PCs when people use a specified application, IM service, or FTP client, or send data to a C&C server. "Separately, at the request from MiniFlame's C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that's collected from infected machines without an Internet connection," said Kaspersky Lab.

To date, Kaspersky Lab said it's found six different versions of MiniFlame, all created in 2010 or 2011, and at least two are still being used in active attacks. In terms of dating the malware's origins, researchers have found signs in the code base that development of the malware began, at latest, in 2007.

The teardown of MiniFlame remains ongoing, and there are numerous related questions that have yet to be answered. "It's interesting that one of the MiniFlame files had Versioninfo from Australia," tweeted Mikko Hypponen, chief research officer at F-Secure, after reviewing the current research, "and that Gauss used encryption key 0xACDC." This, he added, is an apparent reference to the Australian hard rock band AC/DC.

To recap the malware family tree: Flame was discovered in May 2012. It was initially dismissed by some security researchers as bloatware, in part because of the application's size--20 MB with all modules installed, versus an average of up to 1 MB for most other malware. But ongoing analysis of Flame yielded numerous surprises, including its designers having tapped world-class crypto to imbue the malware with the ability to spoof Windows Update and automatically install itself on targeted computers.

Further analysis of the Flame code base also turned up some apparent ties to Stuxnet, which in turn is related to Duqu.

Meanwhile, in August 2012, security researchers unearthed the Gauss malware, which was designed for highly targeted banking credential attacks, principally for customers of Lebanese banks. Given the targets, as well as the fact that Gauss was written in English, security watchers suspect that it was built by a Western nation state.

Based on code reviews, security researchers also believe Flame was commissioned by the same nation state that commissioned Stuxnet, although built by a different set of developers. Since U.S. government officials have taken credit for creating Stuxnet--although not Flame--that suggests that the United States has been behind not only Flame, but also Gauss, and now MiniFlame.

"MiniFlame's ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss," according to Kaspersky Lab's research. "Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same 'cyber warfare' factory."

But what researchers haven't yet discovered is how MiniFlame would have infected computers. Since no related dropper--an application program that is used to infect machines with desired malware--has been found, researchers suspect that MiniFlame may have been dropped on targeted PCs by either the Flame or Gauss malware. Likewise, researchers haven't found any dedicated MiniFlame C&C servers, which means it may be administered using Flame's C&C servers.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
10/16/2012 | 7:14:24 PM
re: Meet Flame Espionage Malware Cousin: MiniFlame
Here we are thinking we are "safe" from malware, since we have a AV product, and these kind of new "spyware" (literally, since spy agencies use it ) being discovered. I wonder how much effort/time/money had gone into these. Instead the government could have invested that money in a FOSS app or could have created something / helped with Linux , which could have yielded something useful. I wonder how much of malware is still in their arsenal.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio