Feeds

Mini-Me, stop humping the laser: Littler Flame cyber-spy tool found

Tiny agent nips through backdoor, nicks your files

Security for virtualized datacentres

Updated Kaspersky Lab has discovered a cut-down version of the infamous Flame cyber-espionage weapon.

MiniFlame, like its big brother, is also an information-slurper well suited to cyber-spying. The malware, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and originally labelled as a Flame module.

Two months of subsequent analysis of Flame’s command & control servers (C&C) revealed that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or as a plug-in for both Flame and Gauss. The dual use of miniFlame as a plug-in provides another piece of evidence that the creators of Flame and Gauss, another cyber-spying utility, worked together.

All these advanced threats come from the same “cyber warfare” factory, the Russian anti-virus firm concludes.

At least six versions of miniFlame were created between 2010 and 2011, with some variants still being active in the wild. Development of the malware may have started as early as 2007.

MiniFlame operates as a backdoor designed for data theft and direct access to infected systems. The number of infections related to miniFlame is much smaller than the volume attributable to either Flame or Gausss. Kaspersky Lab estimates mimiFlame racked up just 50 to 60 infections worldwide. Experts at CERT-Bund/BSI helped Kaspersky Lab researchers in their investigation.

"The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss," Kaspersky Lab researchers concludes.

The original infection vector of miniFlame is yet to be determined. Once installed, miniFlame creates a backdoor that allows any file to be extracted from a compromised machine. The malware is also capable of making screenshots on infected PCs.

miniFlame uploads stolen data to its C&C server (which may be unique, or ‘shared’ with Flame’s C&Cs). Commands to control servers allow miniFlame to gain access to a module which "infects USB drives and uses them to store data that’s collected from infected machines without an internet connection".

Alexander Gostev, chief security expert, Kaspersky Lab, commented: “miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss."

Additional details about miniFlame can be found in the blog post here and in a report here.

"Kaspersky did a really great work on SPE," Boldizsar Bencsath, assistant professor at the CrySyS Lab of the Budapest University of Technology and Economics, part of the team that first discovered Flame, told El Reg. "It is very strange that SPE is so targeted (only 20 victims), but still had around 10 versions.

"[It's also] strange that SPE used same Flame C&Cs after Flame has been caught. It looks like normal military rules (I guess) were not in use." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.