They discover a “mini Flame”, the younger brother but dangerous virus Flame
kaspersky researchers take considerable time excavating around Flame , a surprising viruses developed for cyber-espionage , apparently created by the U.S. and Israel . Along with Flame, the researchers detected a Gauss, which allowed monitoring bank accounts of people spied on , and “miniFlame”, discovered a few days ago.
“MiniFlame attack is a tool of great precision. Most likely it is a directed ciberarma what might be called a secondary wave of cyber attack. Installed to an investigation and in-depth cyber espionage, “said Kaspersky expert Alexander Gostev.
It seems that is used for control and access to spy on certain computers already infected with Flame or Gauss. In the same way as with Flame and Gauss, miniFlame seems to have been created by the same authors of Stuxnet , the first “cyber weapon” designed to sabotage Iran’s nuclear program. And this could be just a small part of the arsenal of cyber weapons, which do not yet know.
MiniFlame would be a module that can operate independently or be part of other larger spy tools like Flame or Gauss. The module is designed to steal data and open a backdoor on infected machines, giving the attacker control over the machines. Once this backdoor, an attacker can send commands to perform different tasks (like taking screenshots, stealing data or download files, for example) on the machine.
Flame and Gauss not allow this direct control of infected devices, as it does miniFlame. Researchers believe that was designed for very specific victims – only 50 cases had infected – and it was used in conjunction with the aforementioned viruses.
“In principle, Flame or Gauss used to infect as many computers as possible and collect as much information. After the data is collected and reviewed, is defined and identifies a potential target of interest of victims, and miniFlame installed for in-depth research and cyber espionage, “said Gostev.
It is thought that once installed miniFlame, erased the malware attackers more, Flame. A while ago it was found a module called “browse32″ Flame present in that self-destroys the virus , that affects module miniFlame. The latter also “vaccine” to record the infected and prevent, if back contact Flame Virus from spreading.
Kaspersky researchers identified six variants miniFlame, and believe that variations can reach some few tens. Each version seems to be focused on different territories, so that a type found concentrated in Lebanon and Palestinian territories, while other variants were in Iran, Qatar and Kuwait.
Kaspersky indicates that the first version would date miniFlame 2007.
Researchers discovered this malware to gain access to two command and control servers that attackers used to communicate with Flame. After intercepting data ranging from machines infected with Flame to the server, the researchers were surprised to discover that there was a second malware present.
It is believed that using special servers different from Flame to send commands to miniFlame, because the system was not intercepted by Kaspersky ability to send these commands. Between 28 May and 30 September, the infected machines to spy miniFlame contacted Kaspersky about 14,000 times from about 90 different IPs. Most were based in Lebanon (45 infections), followed by France (24 infections).
Researchers have found only Flame infected computers, only Gauss, some with Flame and miniFlame, and others with Gauss and miniFlame. A team of Lebanon, however, has the three – apparently someone important enough to be watched by all malware. The IP of this equipment is to an ISP, so it is not easy to know who the device.
– Full Analysis of Flame’s Command & Control servers (Securelist)
– State-Sponsored Malware ‘Flame’ You Smaller, More Devious Cousin (Wired)