Slashdot Mirror

← Back to Stories (view on slashdot.org)

Precision Espionage MiniFlame Malware Tied To Flame

Posted by samzenpus on from the smart-malware dept.

Gunkerty Jeb writes "Initially thought to be merely a module of the now-infamous Flame malware, MiniFlame, or SPE is, in reality, a secondary surveillance tool deployed against specially identified targets following an initial Flame or Gauss compromise. MiniFlame/SPE was one of three previously unseen pieces of malware discovered during a forensic analysis of Flame's command and control servers. Researchers at Kaspersky Lab and CERT-Bund/BSI determined that the program, which has compromised somewhere between 10 and 20 machines, can stand alone as an independent piece of malware or run as a plug-in for both Flame and Gauss."

3 of 34 comments (clear)

  1. Cross your fingers by Sparticus789 · · Score: 5, Funny

    I sure hope that an actual person wrote this MiniFlame. Otherwise the virus has become self-aware and is now reproducing autonomously.

    --
    sudo make me a sandwich
  2. Get used to it by crazyjj · · Score: 4, Insightful

    The era of governments using malware as part of their standard military/security/intelligence arsenal has arrived.

    --
    What political party do you join when you don't like Bible-thumpers *or* hippies?
  3. Re:Is there more out there? by A+Friendly+Troll · · Score: 2

    Is there likely to be a lot more of this type of thing out there that just hasn't been discovered?

    Yes.

    There are four known communication protocols (OldProtocol, OldProtocolIE, SignupProtocol, RedProtocol) and four classes of malware (SP, SPE, IP, FL).

    This is SPE. FL was Flame. SP is unknown (though presumed early SPE), IP is also unknown.

    IP uses SignupProtocol. It is presumed that RedProtocol is not yet implemented, although I'd lean towards "not yet discovered".

    This is really, really precisely targeted stuff. Stuxnet went out - supposedly the Israelis modified it and a bug/feature let it spread - but the others were pretty much precisely guided towards the victims. Nobody has any idea what's out there and which operating systems these things are targeting. Given that the creators of this entire malware family have also utilized a completely new hash collision algorithm and managed to do things nobody ever did before, I wouldn't be surprised if there were plenty more malware unknowns where this came from.

    Fascinating stuff. Evil stuff, but incredibly fascinating. To this date, nobody figured out how malware operators gained access to some Linux servers used for C&C, nor why their first action after logging in was to upgrade OpenSSH.