Feeds

Mini-Me, stop humping the laser: Littler Flame cyber-spy tool found

Tiny agent nips through backdoor, nicks your files

High performance access to file storage

Updated Kaspersky Lab has discovered a cut-down version of the infamous Flame cyber-espionage weapon.

MiniFlame, like its big brother, is also an information-slurper well suited to cyber-spying. The malware, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and originally labelled as a Flame module.

Two months of subsequent analysis of Flame’s command & control servers (C&C) revealed that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or as a plug-in for both Flame and Gauss. The dual use of miniFlame as a plug-in provides another piece of evidence that the creators of Flame and Gauss, another cyber-spying utility, worked together.

All these advanced threats come from the same “cyber warfare” factory, the Russian anti-virus firm concludes.

At least six versions of miniFlame were created between 2010 and 2011, with some variants still being active in the wild. Development of the malware may have started as early as 2007.

MiniFlame operates as a backdoor designed for data theft and direct access to infected systems. The number of infections related to miniFlame is much smaller than the volume attributable to either Flame or Gausss. Kaspersky Lab estimates mimiFlame racked up just 50 to 60 infections worldwide. Experts at CERT-Bund/BSI helped Kaspersky Lab researchers in their investigation.

"The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss," Kaspersky Lab researchers concludes.

The original infection vector of miniFlame is yet to be determined. Once installed, miniFlame creates a backdoor that allows any file to be extracted from a compromised machine. The malware is also capable of making screenshots on infected PCs.

miniFlame uploads stolen data to its C&C server (which may be unique, or ‘shared’ with Flame’s C&Cs). Commands to control servers allow miniFlame to gain access to a module which "infects USB drives and uses them to store data that’s collected from infected machines without an internet connection".

Alexander Gostev, chief security expert, Kaspersky Lab, commented: “miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss."

Additional details about miniFlame can be found in the blog post here and in a report here.

"Kaspersky did a really great work on SPE," Boldizsar Bencsath, assistant professor at the CrySyS Lab of the Budapest University of Technology and Economics, part of the team that first discovered Flame, told El Reg. "It is very strange that SPE is so targeted (only 20 victims), but still had around 10 versions.

"[It's also] strange that SPE used same Flame C&Cs after Flame has been caught. It looks like normal military rules (I guess) were not in use." ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.