Vulnerabilities / Threats
10/16/2012
11:53 AM
50%
50%

Meet Flame Espionage Malware Cousin: MiniFlame

Suspected Flame module turns out to be standalone attack code in use since at least 2010, described as targeted cyberweapon for conducting in-depth surveillance and espionage.

Ongoing teardowns of the Flame malware and its underlying components have yielded a surprising discovery: a new piece of malware.

Security researchers at Kaspersky Lab said that what they previously suspected was an attack module for the Flame malware is instead a standalone piece of attack code, although it can do double duty as a plug-in for both the Flame and Gauss malware. Designed for data theft and for providing attackers with direct access to an infected system, MiniFlame is based on the same architectural platform as Flame, according to Kaspersky Lab.

"MiniFlame is a high-precision attack tool," said Alexander Gostev, chief security expert at Kaspersky Lab, in an emailed statement. "Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack ... to conduct more in-depth surveillance and cyber-espionage."

[ Could a cyber arms agreement help forestall cyber warfare? See The Case For A Cyber Arms Treaty. ]

The MiniFlame code had previously been referred to as "SPE" in Flame's command-and-control (C&C) server code, but not found in the wild. "The samples appear to have remained unobserved for so long due to their highly targeted nature, however one more of those protocols has been identified and found to be in use," read a blog post from Symantec. The security company said that it's now updated its antivirus software to spot and block the MiniFlame malware, which it's dubbed "W32.Flamer.B."

Just how highly targeted is MiniFlame? Kaspersky Lab estimates that only 50 to 60 machines in the world have ever been infected by the malware. "These are highly focused attacks--what people call advanced, persistent threats--that are designed to fly under the radar and not be found," Eric Byres, CTO and VP engineering at Tofino Security, which is owned by Belden, said via phone. "In the old days, when someone created malware, it practically broadcast its presence. Today it's narrow, focused, and targeted, and darned hard to find."

Here's what the malware can do: Once installed, MiniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine, according to research from Kaspersky Lab. The malware can also capture screenshots from infected PCs when people use a specified application, IM service, or FTP client, or send data to a C&C server. "Separately, at the request from MiniFlame's C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that's collected from infected machines without an Internet connection," said Kaspersky Lab.

To date, Kaspersky Lab said it's found six different versions of MiniFlame, all created in 2010 or 2011, and at least two are still being used in active attacks. In terms of dating the malware's origins, researchers have found signs in the code base that development of the malware began, at latest, in 2007.

The teardown of MiniFlame remains ongoing, and there are numerous related questions that have yet to be answered. "It's interesting that one of the MiniFlame files had Versioninfo from Australia," tweeted Mikko Hypponen, chief research officer at F-Secure, after reviewing the current research, "and that Gauss used encryption key 0xACDC." This, he added, is an apparent reference to the Australian hard rock band AC/DC.

To recap the malware family tree: Flame was discovered in May 2012. It was initially dismissed by some security researchers as bloatware, in part because of the application's size--20 MB with all modules installed, versus an average of up to 1 MB for most other malware. But ongoing analysis of Flame yielded numerous surprises, including its designers having tapped world-class crypto to imbue the malware with the ability to spoof Windows Update and automatically install itself on targeted computers.

Further analysis of the Flame code base also turned up some apparent ties to Stuxnet, which in turn is related to Duqu.

Meanwhile, in August 2012, security researchers unearthed the Gauss malware, which was designed for highly targeted banking credential attacks, principally for customers of Lebanese banks. Given the targets, as well as the fact that Gauss was written in English, security watchers suspect that it was built by a Western nation state.

Based on code reviews, security researchers also believe Flame was commissioned by the same nation state that commissioned Stuxnet, although built by a different set of developers. Since U.S. government officials have taken credit for creating Stuxnet--although not Flame--that suggests that the United States has been behind not only Flame, but also Gauss, and now MiniFlame.

"MiniFlame's ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss," according to Kaspersky Lab's research. "Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same 'cyber warfare' factory."

But what researchers haven't yet discovered is how MiniFlame would have infected computers. Since no related dropper--an application program that is used to infect machines with desired malware--has been found, researchers suspect that MiniFlame may have been dropped on targeted PCs by either the Flame or Gauss malware. Likewise, researchers haven't found any dedicated MiniFlame C&C servers, which means it may be administered using Flame's C&C servers.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
10/16/2012 | 7:14:24 PM
re: Meet Flame Espionage Malware Cousin: MiniFlame
Here we are thinking we are "safe" from malware, since we have a AV product, and these kind of new "spyware" (literally, since spy agencies use it ) being discovered. I wonder how much effort/time/money had gone into these. Instead the government could have invested that money in a FOSS app or could have created something / helped with Linux , which could have yielded something useful. I wonder how much of malware is still in their arsenal.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.