Precision Espionage MiniFlame Malware Tied To Flame

Gunkerty Jeb writes "Initially thought to be merely a module of the now-infamous Flame malware, MiniFlame, or SPE is, in reality, a secondary surveillance tool deployed against specially identified targets following an initial Flame or Gauss compromise. MiniFlame/SPE was one of three previously unseen pieces of malware discovered during a forensic analysis of Flame's command and control servers. Researchers at Kaspersky Lab and CERT-Bund/BSI determined that the program, which has compromised somewhere between 10 and 20 machines, can stand alone as an independent piece of malware or run as a plug-in for both Flame and Gauss."

First flame

First flame!

Cross your fingers

[Sparticus789]

I sure hope that an actual person wrote this MiniFlame. Otherwise the virus has become self-aware and is now reproducing autonomously.

lol

It really does sound like the antivirus folks are just so far out of their league...

They were always a step behind... But now it sounds more like a mile.

Get used to it

[crazyjj]

The era of governments using malware as part of their standard military/security/intelligence arsenal has arrived.

Re:Get used to it

The era of governments using malware as part of their standard military/security/intelligence arsenal has arrived.

That era has been here since ~1960, but civilian researchers have now caught up to the fact.

Re:Get used to it

[flyingfsck]

No, it arrived a long, long time ago. Ordinary folk only started to take notice now though.

Re:Get used to it

[SpzToid]

If nothing else, open-source code and watching how that movie director Robert Rodriguez successfully preaches low-budget artistic control vs. bigger-budget studio-control has taught me how raw talent, motivation, and perseverance can still succeed against 'the odds'. Oh, and fear helps a lot!

This knowledge I try to use for good given the gifts my life has given to me. Still, others will inherently do otherwise to the best of their abilities.

After all, it isn't what you have that matters, but what you do with what you have.

Re:Get used to it

After all, it isn't what you have that matters, but what you do with what you have.

No, it just means that you haven't made it and should have worked harder.

Re:Get used to it

[SethJohnson]

"....and watching how that movie director Robert Rodriguez successfully preaches low-budget artistic control vs. bigger-budget studio-control has taught me how raw talent, motivation, and perseverance can still succeed against 'the odds'."

That dude hasn't made a worthwhile movie since Sin City. He uses low budgets as an excuse for making crappy movies. There was no reason Predators had to suck with that budget. It was all him. He's infatuated by Hollywood's adoration of him. Crammed so many celebrities into Machete, he bloated out the story to fit them all in. Should have turned the camera off when Booth was killed. That was the end of the story that mattered. Same with his career.

Here's a wonderful music video Robert Rodriguez shot that may-or-may-not be self-aware that it's the story of Rodriguez banging a Hollywood Starlet (Rose McGowan) and then stressing over whether or not his kids from his divorce will accept the younger woman. Bob Schneider plays the Robert Rodriguez role while Kat Demming fills in for Rose McGowan. His kid plays himself in the video. I can't tell if he's tipping his hat to Nena with the release of the red balloons at the end or is just outright ripping the ending off.

Seth

Re:I'm NEVER WORRIED about these things...

It'd be a whole lot easier to use an OS that isn't so susceptible to malware.

Is there more out there?

Is there likely to be a lot more of this type of thing out there that just hasn't been discovered? I was thinking...damn, it's gotta be embarrassing for those secretive TLAs for their activities to be made so public, but then, what is the likelihood that those secretive TLAs have a lot more stuff out there that simply hasn't been made public?

Re:Is there more out there?

[A+Friendly+Troll]

Is there likely to be a lot more of this type of thing out there that just hasn't been discovered?

Yes.

There are four known communication protocols (OldProtocol, OldProtocolIE, SignupProtocol, RedProtocol) and four classes of malware (SP, SPE, IP, FL).

This is SPE. FL was Flame. SP is unknown (though presumed early SPE), IP is also unknown.

IP uses SignupProtocol. It is presumed that RedProtocol is not yet implemented, although I'd lean towards "not yet discovered".

This is really, really precisely targeted stuff. Stuxnet went out - supposedly the Israelis modified it and a bug/feature let it spread - but the others were pretty much precisely guided towards the victims. Nobody has any idea what's out there and which operating systems these things are targeting. Given that the creators of this entire malware family have also utilized a completely new hash collision algorithm and managed to do things nobody ever did before, I wouldn't be surprised if there were plenty more malware unknowns where this came from.

Fascinating stuff. Evil stuff, but incredibly fascinating. To this date, nobody figured out how malware operators gained access to some Linux servers used for C&C, nor why their first action after logging in was to upgrade OpenSSH.

Re:Is there more out there?

To this date, nobody figured out how malware operators gained access to some Linux servers used for C&C, nor why their first action after logging in was to upgrade OpenSSH.

Oh, let me take a stab at it. The authors behind this are, of course, the NSA. As we all know, the NSA has placed backdoors in the OBSD TCP stack, so it stands to reason they've placed backdoors in OpenSSH as well. There are two reasons they could have upgraded:

1) To cover their tracks and remove the backdoor, which has been removed from the latest version of OpenSSH either intentionally or accidentally.
2) To make people THINK that (1) was the reason, because the backdoor is still there!

\end{sarcasm}

Re:When the "best you've got" = bogus downmods?

Oh and of course, I like to suck cock.

apk

Impersonation of myself?

Plus an illogical off-topic weak failing ad hominem attack on myself, rather than disproving my points here -> http://yro.slashdot.org/comments.pl?sid=3186429&cid=41658979 is "the best you've got", little ac troll?

* Please... make me laugh some more!

(Like I said: Not a SINGLE ONE OF YOU CAN DISPROVE MY POINTS in the link above, & you ALWAYS RUN from this challenge put to you also -> http://yro.slashdot.org/comments.pl?sid=3186429&cid=41659277 )

APK

P.S.=> Face facts, troll - YOU FAIL, miserably... and you know it!/quote... apk

Re:I'm NEVER WORRIED about these things...

They all are to one degree or another, & most implement the same general concepts for security too. Most used = most attacked. From the perspective of the malware maker/botnet master etc., this makes TOTAL sense (and it's why Microsoft Windows is the most attacked as far as Operating Systems go).

Re:When the "best you've got" = bogus downmods?

...anyone else reading with 1/2 a brain

Those with full brains likely didn't make it past the first few lines...

"Run, Forrest: RUN!"

Fully dyslexia or ADHD addled brains, like yours? Disprove my points here instead troll -> http://yro.slashdot.org/comments.pl?sid=3186429&cid=41658979 because your off-topic illogical ad hominem attacks only show anyone reading that you are indeed, lol, "pulling a forrest gump" (& running)...

* You FAIL, troll... & you're apparently out of modpoints to bogusly + unjustifiably downmod my post (instead of disproving its points).

APK

P.S.=> Of course, IF you could manage to disprove my points in that link above, then I couldn't SAY you are failing, but alas? LMAO, you are - badly!/quote... apk

Re:"Run, Forrest: RUN!"

The funniest part is that my "full brain" comment is the only comment I've made in this thread and, to my knowledge, any thing you've ever posted. I also have no recollection of ever modding anything you've ever written. Fortunately, I feel no need to prove or disprove anything you've said. I don't even care about the content of your post (which stems primarily from the way it's written). I just enjoyed poking the bear because it's so funny. Childish certainly, but still funny.

Re:"Run, Forrest: RUN!"

Thanks for proving apk's point for him Forrest.

Re:"Run, Forrest: RUN!"

There was a point in there? Was it hidden under his hat or something?

Re:"Run, Forrest: RUN!"

You're avoiding disproving apk's points on hosts files when you were challenged to do so here http://yro.slashdot.org/comments.pl?sid=3186429&cid=41658979

Re:I'm NEVER WORRIED about these things...

Instead of trolls doing unjustifiable downmods, why can't they disprove the points posted here instead http://yro.slashdot.org/comments.pl?sid=3186429&cid=41658979 ?

Re:I'm NEVER WORRIED about these things...

Why? Simple - the very SECOND their C&C Servers (or other online parts) are known, I block them the heck out

What if they become known while you're spamming /., eh?
Might not add it that very second, hmmmm?

Re:I'm NEVER WORRIED about these things...

Open Sores people post about their wares here, such as adblock and it's not as good, so why can't he?

Blowback from this is going to hurt

[RoTNCoRE]

Malware like this is unique in warfare in that the payload can be recovered intact, reverse engineered, and deployed for other motives quite easily, and (from my admittedly limited understanding) requires only off-the-shelf technological overhead. I've read several articles here recently about critical infrastructure related SCADA equipment needing per-site patches due to backdoors and poor default security settings. Presuming the proliferators of this malware based espionage are intelligent and can predict the following chain of events, they must have deemed this to be an acceptable risk, or even want it to happen...

I wonder what the legal liabilities for the originating state(s) are when a modified version impact their own citizens and infrastructure? It worries me that nations are running headlong into this type of undeclared war. Bioweapons are limited in their usefulness in warfare for this very reason - their propensity to harm non-combatants on both sides. With our dependance on IT and networks in all areas including the provisions of the necessities of life, when this escalates, it won't be pretty.

I'm pretty well covered... apk

The program runs itself every 12 hours "automagically" IF I wish & gets its data for custom hosts files from 12 reputable & reliable sites for that. I'll get it then without lifting a finger!

* However/OR, I can just do a "manual run" right then too...

(I also get a LOT of botnet C&C Server information from articles during my evenings as well, & sometimes, my sources don't even get them THAT fast, so I do manual runs in the evenings after dinner usually!)

APK

P.S.=> So far, since 1997 when I started doing custom hosts files? I have myself covered vs. LITERALLY 1,848,485++ known bad sites/servers/hosts-domains that serve up malicious content/exploits/malware etc.-et al!

Now, that's pretty good considering it's a solution in custom hosts files that's TIGHTLY INTEGRATED into the OS since it's really only using a part of the IP stack, as a filter for it!

(The IP stack's written in C + assembly afaik, fastest there is, AND, it runs in Ring 0/RPL 0/kernelmode too, not usermode/Ring 3/RPL 3 AND layering ontop of browsers ONLY (not external to browser email programs like Outlook/Outlook Express or Eudora for example)... SLOW!'

Solutions like AdBlock, by way of comparison AGAIN in terms of "SLOW"?

AdBlock's also written in SLOWER interpreted languages like javascript, python, & perl too - not as fast, OR efficient as the IP stack yet again which again, was written in FAR FASTER C & Assembly language... period!

All that, is where custom hosts files rock (and more), vs. "solutions" that are OWNED BY ADVERTISERS (& intentionally weakened by default in AdBlock + Ghostery in tracking)...

... apk

Re:I'm pretty well covered... apk

That very second

every 12 hours

Your logic is especially bad today.

Re:I'm NEVER WORRIED about these things...

[camperdave]

It'd be a whole lot easier to use an OS that isn't so susceptible to malware.

That's why I use hand written Action! code on an Atari 800XL, and I never, ever, ever go online.

Windows Only ...

Nothing to see here ...

Covered vs. nearly 2 million bogus servers

Is it? I run it manually when & IF needed (by simply visiting the sites as they update, sometimes every 20 minutes or so, other times once a day, sometimes once a week or once a month), & then I scour articles on security too, mainly for botnet C&C servers that aren't mentioned/listed/noted in my normal 12 sources...

* Pretty simple - but, @ the VERY LEAST, I am covered "automagically" every 12 hours for them all...

APK

P.S.=> I can certainly say 1 thing - I know that my being covered vs. nearly 2 million (& growing) KNOWN bad sites/servers/hosts-domains that are bogus DNS servers, botnet C&C servers, fastflux hosts, or just plain malware or malscripted housing sites... and, VERY CURRENTLY found as so here, & inserted into my custom hosts file!

(For security, it's a great extra-layer of protection, but the speed gains are even MORE astounding & noticeable!)

QUESTION: Are you? I am SURE I am...

... apk

Nobody Seems To Notice and Nobody Seems To Care

Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware

In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87

How many rootkits does the US[2] use officially or unofficially?

How much of the free but proprietary software in the US spies on you?

Which software would that be?

Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.

How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?

If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?

I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:

APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.

Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.

The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.

Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.

Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware