Feeds

Mini-Me, stop humping the laser: Littler Flame cyber-spy tool found

Tiny agent nips through backdoor, nicks your files

Intelligent flash storage arrays

Updated Kaspersky Lab has discovered a cut-down version of the infamous Flame cyber-espionage weapon.

MiniFlame, like its big brother, is also an information-slurper well suited to cyber-spying. The malware, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and originally labelled as a Flame module.

Two months of subsequent analysis of Flame’s command & control servers (C&C) revealed that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or as a plug-in for both Flame and Gauss. The dual use of miniFlame as a plug-in provides another piece of evidence that the creators of Flame and Gauss, another cyber-spying utility, worked together.

All these advanced threats come from the same “cyber warfare” factory, the Russian anti-virus firm concludes.

At least six versions of miniFlame were created between 2010 and 2011, with some variants still being active in the wild. Development of the malware may have started as early as 2007.

MiniFlame operates as a backdoor designed for data theft and direct access to infected systems. The number of infections related to miniFlame is much smaller than the volume attributable to either Flame or Gausss. Kaspersky Lab estimates mimiFlame racked up just 50 to 60 infections worldwide. Experts at CERT-Bund/BSI helped Kaspersky Lab researchers in their investigation.

"The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss," Kaspersky Lab researchers concludes.

The original infection vector of miniFlame is yet to be determined. Once installed, miniFlame creates a backdoor that allows any file to be extracted from a compromised machine. The malware is also capable of making screenshots on infected PCs.

miniFlame uploads stolen data to its C&C server (which may be unique, or ‘shared’ with Flame’s C&Cs). Commands to control servers allow miniFlame to gain access to a module which "infects USB drives and uses them to store data that’s collected from infected machines without an internet connection".

Alexander Gostev, chief security expert, Kaspersky Lab, commented: “miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss."

Additional details about miniFlame can be found in the blog post here and in a report here.

"Kaspersky did a really great work on SPE," Boldizsar Bencsath, assistant professor at the CrySyS Lab of the Budapest University of Technology and Economics, part of the team that first discovered Flame, told El Reg. "It is very strange that SPE is so targeted (only 20 victims), but still had around 10 versions.

"[It's also] strange that SPE used same Flame C&Cs after Flame has been caught. It looks like normal military rules (I guess) were not in use." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.