Kaspersky reveals "miniFlame" targeting Middle East

 

Gallery

By Reuters

Posted on 15 Oct 2012 at 16:14

Kaspersky has uncovered another version of the Flame virus, designed to target individual computers.

The security company said it had found malware related to Flame, dubbed "miniFlame," which can carry out more precise attacks on targets in the Middle East.

While the original Flame virus swept in data from perhaps 5,000 computers, largely in Iran and Sudan, the new miniFlame struck only about 50 "high-value" machines, according to Kaspersky Lab research. Iran had previously blamed Flame for causing data loss on computers in the country's main oil export terminal and Oil Ministry.

"Flame acts as a long sword for broad swipes while miniFlame acts as a scalpel for a focused surgical dissection," Roel Schouwenberg, a senior researcher at Moscow-based Kaspersky Lab, told Reuters.

Flame acts as a long sword for broad swipes while miniFlame acts as a scalpel for a focused surgical dissection

Kaspersky theorised that miniFlame was distributed mainly by Flame and another recently discovered spyware program, Gauss, which was most prevalent in Lebanon and may have been aimed at tracking financial transactions.

Not much is known about miniFlame's victims, except that they were more geographically dispersed than those of Flame and Gauss. Infections were found in Lebanon and Iran most of all but also in Palestine, Iran, Kuwait, and Qatar, according to Kaspersky.

Kaspersky and US security software company Symantec have said that some of the code in Flame also appeared in an early version of Stuxnet. Found in 2010 and aimed at Iran's nuclear enrichment program, Stuxnet is sometimes described as the first true cyber-weapon. Cyber experts widely believe Stuxnet is an American project.

Kaspersky and Symantec said in a joint research paper last month that Flame's control software remotely directed a number of smaller programs, and that the effects of only one of those programs was clear.

Symantec said at the time the overall project "fits the profile of military and intelligence operations," in part because encryption kept some operatives in the dark about what data they were taking from infected machines. The many technological innovations in Flame included its hijacking of Microsoft's Windows Update feature.

Remote control

The new discovery concerns one of the smaller programs controlled by the Flame command software, referred to in the original code as SPE.

According to the Kaspersky analysis, it includes a "back door" allowing for remote control, data theft and the ability to take screenshots.

"MiniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage," Kaspersky chief security expert Alexander Gostev said.

Kaspersky said that miniFlame worked with Flame and Gauss but could also operate independently of both, taking orders from a separate network of command computers. It said the new discovery makes a stronger case for the connection among all the programs, though it has not accused any party of authorship.

Kaspersky said it found six versions of miniFlame, the most recent created in September 2011. Some of the protocols it used dated to 2007, making it a long-running effort.

MiniFlame responded to a series of commands given Anglo first names by the program authors. "Elvis" created a process on an infected machine and "Barbara" took a screen shot. "Tiffany" directed the computer to a new command server.