Feeds

Mini-Me, stop humping the laser: Littler Flame cyber-spy tool found

Tiny agent nips through backdoor, nicks your files

5 things you didn’t know about cloud backup

Updated Kaspersky Lab has discovered a cut-down version of the infamous Flame cyber-espionage weapon.

MiniFlame, like its big brother, is also an information-slurper well suited to cyber-spying. The malware, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and originally labelled as a Flame module.

Two months of subsequent analysis of Flame’s command & control servers (C&C) revealed that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or as a plug-in for both Flame and Gauss. The dual use of miniFlame as a plug-in provides another piece of evidence that the creators of Flame and Gauss, another cyber-spying utility, worked together.

All these advanced threats come from the same “cyber warfare” factory, the Russian anti-virus firm concludes.

At least six versions of miniFlame were created between 2010 and 2011, with some variants still being active in the wild. Development of the malware may have started as early as 2007.

MiniFlame operates as a backdoor designed for data theft and direct access to infected systems. The number of infections related to miniFlame is much smaller than the volume attributable to either Flame or Gausss. Kaspersky Lab estimates mimiFlame racked up just 50 to 60 infections worldwide. Experts at CERT-Bund/BSI helped Kaspersky Lab researchers in their investigation.

"The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss," Kaspersky Lab researchers concludes.

The original infection vector of miniFlame is yet to be determined. Once installed, miniFlame creates a backdoor that allows any file to be extracted from a compromised machine. The malware is also capable of making screenshots on infected PCs.

miniFlame uploads stolen data to its C&C server (which may be unique, or ‘shared’ with Flame’s C&Cs). Commands to control servers allow miniFlame to gain access to a module which "infects USB drives and uses them to store data that’s collected from infected machines without an internet connection".

Alexander Gostev, chief security expert, Kaspersky Lab, commented: “miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss."

Additional details about miniFlame can be found in the blog post here and in a report here.

"Kaspersky did a really great work on SPE," Boldizsar Bencsath, assistant professor at the CrySyS Lab of the Budapest University of Technology and Economics, part of the team that first discovered Flame, told El Reg. "It is very strange that SPE is so targeted (only 20 victims), but still had around 10 versions.

"[It's also] strange that SPE used same Flame C&Cs after Flame has been caught. It looks like normal military rules (I guess) were not in use." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.