Kaspersky Lab Discovers "miniFlame," a New Virus Designed for Cyber Espionage

btarunr · Oct 15, 2012, 02:01 PM

Today Kaspersky Lab announced the discovery of miniFlame, a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations.

miniFlame, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and was originally identified as a Flame module. However, in September 2012, Kaspersky Lab’s research team conducted an in-depth analysis of Flame’s command & control servers (C&C) and from the analysis found that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or concurrently as plug-in for both the Flame and Gauss malware.

Analysis of miniFlame showed there were several versions created between 2010 and 2011, with some variants still being active in the wild. The analysis also revealed new evidence of the cooperation between the creators of Flame and Gauss, as both malicious programs can use miniFlame as a “plug-in” for their operations.

Main Findings:

miniFlame, also known as SPE, is based on the same architectural platform as Flame. It can function as its own independent cyber espionage program or as a component inside both Flame and Gauss.
The cyber espionage tool operates as a backdoor designed for data theft and direct access to infected systems.
Development of miniFlame might have started as early as 2007 and continued until the end of 2011. Many variations are presumed to be created. To date, Kaspersky Lab has identified six of these variants, covering two major generations: 4.x and 5.x.
Unlike Flame or Gauss, which had high number of infections, the amount of infections for miniFlame is much smaller. According to Kaspersky Lab’s data, the number of infections is between 10-20 machines. The total number of infections worldwide is estimated at 50-60.
The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss.

Discovery
The discovery of miniFlame occurred during the in-depth analysis of the Flame and Gauss malware. In July 2012 Kaspersky Lab’s experts identified an additional module of Gauss, codenamed “John” and found references to the same module in Flame’s configuration files. The subsequent analysis of Flame’s command and control servers, conducted in September 2012, helped to reveal that the newly discovered module was in fact a separate malicious program, although it can be used as a “plug-in” by both Gauss and Flame. miniFlame was codenamed SPE in the code of Flame’s original C&C servers.

Kaspersky Lab discovered six different variations of miniFlame, all dating back to 2010-2011. At the same time, the analysis of miniFlame points to even earlier date when development of the malware was commenced – not later than 2007. miniFlame’s ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss. Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same “cyber warfare” factory.

Functionality
The original infection vector of miniFlame is yet to be determined. Given the confirmed relationship between miniFlame, Flame, and Gauss, miniFlame may be installed on machines already infected by Flame or Gauss. Once installed, miniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine. Additional info-stealing capabilities include making screenshots of an infected computer while it’s running a specific program or application in such as a web browser, Microsoft Office program, Adobe Reader, instant messenger service, or an FTP client. miniFlame uploads the stolen data by connecting to its C&C server (which may be unique, or “shared” with Flame’s C&Cs). Separately, at the request from miniFlame’s C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that’s collected from infected machines without an internet connection.

Alexander Gostev, Chief Security Expert, Kaspersky Lab, commented: “miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss.”

Kaspersky Lab would like to thank CERT-Bund/BSI for their kind assistance with this investigation. The full report on miniFlame can be found here.

tacosRcool · Oct 15, 2012, 06:01 PM

May be development since 2007? That's not good at all....

Katanai · Oct 15, 2012, 07:53 PM

Well, I've always wondered where computer viruses really came from. Kaspersky Lab was always the number one suspect for me. BUT now, seeing that these claims of theirs remain uncontested by anyone, I begin to change my mind about this...

RejZoR · Oct 16, 2012, 06:39 AM

I don't get it why are ppl always so surprised on such discoveries. These are the tools for highly targeted attacks.

Imagine comparing a full on army of 200.000 soldiers attacking some country or a team of 5 highly skilled spec ops doing destruction behind enemy lines. It's obvious that you'd notice the 200.000 men army faster than you'd detect a 5 member team. If ever... It's the same here. If it's such targeted specific tool like derivates of Flame, it's nothing unusual to discover them with such big delay. If you even discover them at all.

This discovery was probably made by "mistake" and the file got caught by honeypots at some point.

niko084 · Oct 16, 2012, 02:22 PM

Quote:

Originally Posted by RejZoR

I don't get it why are ppl always so surprised on such discoveries. These are the tools for highly targeted attacks.

Imagine comparing a full on army of 200.000 soldiers attacking some country or a team of 5 highly skilled spec ops doing destruction behind enemy lines. It's obvious that you'd notice the 200.000 men army faster than you'd detect a 5 member team. If ever... It's the same here. If it's such targeted specific tool like derivates of Flame, it's nothing unusual to discover them with such big delay. If you even discover them at all.

This discovery was probably made by "mistake" and the file got caught by honeypots at some point.

Exactly.

Oct 15, 2012, 02:01 PM	#1
btarunr Editor & Senior Moderator Join Date: Oct 2007 Location: Hyderabad, India Posts: 15,030 (7.22/day) Thanks: 790 Thanked 13,028 Times in 5,719 Posts System Specs	Kaspersky Lab Discovers "miniFlame," a New Virus Designed for Cyber Espionage Today Kaspersky Lab announced the discovery of miniFlame, a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations. miniFlame, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and was originally identified as a Flame module. However, in September 2012, Kaspersky Lab’s research team conducted an in-depth analysis of Flame’s command & control servers (C&C) and from the analysis found that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or concurrently as plug-in for both the Flame and Gauss malware. Analysis of miniFlame showed there were several versions created between 2010 and 2011, with some variants still being active in the wild. The analysis also revealed new evidence of the cooperation between the creators of Flame and Gauss, as both malicious programs can use miniFlame as a “plug-in” for their operations. Main Findings: miniFlame, also known as SPE, is based on the same architectural platform as Flame. It can function as its own independent cyber espionage program or as a component inside both Flame and Gauss. The cyber espionage tool operates as a backdoor designed for data theft and direct access to infected systems. Development of miniFlame might have started as early as 2007 and continued until the end of 2011. Many variations are presumed to be created. To date, Kaspersky Lab has identified six of these variants, covering two major generations: 4.x and 5.x. Unlike Flame or Gauss, which had high number of infections, the amount of infections for miniFlame is much smaller. According to Kaspersky Lab’s data, the number of infections is between 10-20 machines. The total number of infections worldwide is estimated at 50-60. The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss. Discovery The discovery of miniFlame occurred during the in-depth analysis of the Flame and Gauss malware. In July 2012 Kaspersky Lab’s experts identified an additional module of Gauss, codenamed “John” and found references to the same module in Flame’s configuration files. The subsequent analysis of Flame’s command and control servers, conducted in September 2012, helped to reveal that the newly discovered module was in fact a separate malicious program, although it can be used as a “plug-in” by both Gauss and Flame. miniFlame was codenamed SPE in the code of Flame’s original C&C servers. Kaspersky Lab discovered six different variations of miniFlame, all dating back to 2010-2011. At the same time, the analysis of miniFlame points to even earlier date when development of the malware was commenced – not later than 2007. miniFlame’s ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss. Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same “cyber warfare” factory. Functionality The original infection vector of miniFlame is yet to be determined. Given the confirmed relationship between miniFlame, Flame, and Gauss, miniFlame may be installed on machines already infected by Flame or Gauss. Once installed, miniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine. Additional info-stealing capabilities include making screenshots of an infected computer while it’s running a specific program or application in such as a web browser, Microsoft Office program, Adobe Reader, instant messenger service, or an FTP client. miniFlame uploads the stolen data by connecting to its C&C server (which may be unique, or “shared” with Flame’s C&Cs). Separately, at the request from miniFlame’s C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that’s collected from infected machines without an internet connection. Alexander Gostev, Chief Security Expert, Kaspersky Lab, commented: “miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss.” Kaspersky Lab would like to thank CERT-Bund/BSI for their kind assistance with this investigation. The full report on miniFlame can be found here.

System Name:	Blackbox
Processor:	AMD FX-8350
Motherboard:	ASUS M5A99FX Pro R2.0
Cooling:	Xigmatek Aegir SD128264 with IC Diamond 24 Thermal Compound
Memory:	16 GB Corsair Vengeance DDR3-1600
Video Card:	Palit GeForce GTX 680 JetStream 2GB outfitted with IC Diamond 24 TIM
Hard Disk:	Samsung 840 Series 250GB
Optical Drive:	HT-LG DVD-RW
CRT/LCD Model:	ViewSonic VX2450wm-LED
Case:	Cooler Master CM690 Window
Sound Card:	Creative SB Recon3D
PSU:	Corsair HX850W
Software:	Windows 8 Pro 64-bit

Oct 15, 2012, 06:01 PM	#2
tacosRcool Join Date: May 2012 Location: WR, Georgia Posts: 777 (1.94/day) Thanks: 67 Thanked 59 Times in 51 Posts System Specs	May be development since 2007? That's not good at all.... __________________ I like nachos and frozen yogurt. -Fred Fredburger http://www.youtube.com/watch?v=haoqEv9q_eo

System Name:	Computer of Computerness
Processor:	i7-2700K @ 4.22 Ghz
Motherboard:	Gigabyte Z68XP-UD3
Cooling:	Cooler Master Hyper 212+
Memory:	Samsung 8 GB DDR3 OC @1866 Mhz
Video Card:	Gigabyte GTX 670 OC
Hard Disk:	240 GB Kingston V+200 SSD, 1 TB Hitachi 7200 rpm HDD, 1 TB Samsung 7200 rpm HDD
Optical Drive:	Pioneer BDR-205
CRT/LCD Model:	Samsung ToC SyncMaster P2250
Case:	NZXT Phantom 410, Red
Sound Card:	Asus Xonar DG 5.1
PSU:	Corsair TX750 V2
Software:	Windows 8 Pro
Benchmarks:	3DMark 11: X3325 P9191 3DMark Vantage: P29926

Oct 16, 2012, 06:39 AM	#4
RejZoR Join Date: Oct 2004 Location: Europe/Slovenia Posts: 3,980 (1.25/day) Thanks: 39 Thanked 758 Times in 542 Posts System Specs	I don't get it why are ppl always so surprised on such discoveries. These are the tools for highly targeted attacks. Imagine comparing a full on army of 200.000 soldiers attacking some country or a team of 5 highly skilled spec ops doing destruction behind enemy lines. It's obvious that you'd notice the 200.000 men army faster than you'd detect a 5 member team. If ever... It's the same here. If it's such targeted specific tool like derivates of Flame, it's nothing unusual to discover them with such big delay. If you even discover them at all. This discovery was probably made by "mistake" and the file got caught by honeypots at some point. __________________ RejZoR's Little Secrets @ rejzor dot tk

Oct 15, 2012, 07:53 PM	#3
Katanai Join Date: Mar 2008 Posts: 392 (0.20/day) Thanks: 3 Thanked 108 Times in 82 Posts	Well, I've always wondered where computer viruses really came from. Kaspersky Lab was always the number one suspect for me. BUT now, seeing that these claims of theirs remain uncontested by anyone, I begin to change my mind about this...

System Name:	The BlackBox 3
Processor:	Intel Core i7 920 4,2 GHz
Motherboard:	ASUS Rampage II Gene + 2x Noiseblocker XM2 on chipset/VRM
Cooling:	ANTEC H2O 920 + 2x Noiseblocker M12-S3HS
Memory:	6GB Corsair Dominator 1600MHz
Video Card:	GIGABYTE RADEON HD7950 3GB WindForce 3X (1100/6000)
Hard Disk:	WD Caviar Black 2TB 64MB
Optical Drive:	SAMSUNG SH-S223F
CRT/LCD Model:	SAMSUNG SyncMaster 931c
Case:	Lian Li PC-V354 Black
Sound Card:	Creative Sound Blaster Z + Altec Lansing MX5021
PSU:	Corsair HX750 + Noiseblocker BlackSilent XR2
Software:	Windows 8 Professional x64
Benchmarks:	It can run 3DMark and all...

Processor:	Intel i7 3770K @ 3.5ghz
Motherboard:	Asus P8P67 Pro
Cooling:	CoolIt Eco120 (Push/Pull A.C. 120mm)
Memory:	4x4GB Gskill Sniper @ 9-9-9-24 1600mhz
Video Card:	HD7850 1150/1200
Hard Disk:	240GB Hyper-X 3k SSD, 2x WD Black 640 Raid 1
Optical Drive:	Sony/NEC AD-7241S
CRT/LCD Model:	Asus VE228H 21.5 1920x1080
Case:	Antec 300
Sound Card:	Focusrite Saffire PRO 14 -> Mackie MR8 Monitors
PSU:	Seasonic SS520-GB 520W
Software:	Windows 7 Pro x64

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Spirit Discovers "New" Highest Peak in "Columbia Hills"	micropage7	Science & Technology	7	Oct 20, 2011 02:50 PM
New "Kill Hazard" Virus/Trojan Redirect	Kreij	General Software	5	Sep 29, 2010 04:25 PM
Kaspersky Lab Releases Technical Prototype of Kaspersky Anti-Virus for Windows 7	alexp999	News	14	Jan 26, 2009 02:19 AM
Kaspersky Lab Discovers First iPod-Specific Virus	Polaris573	News	7	Apr 8, 2007 07:03 AM