MiniFlame Drops Cyberbombs on High-Value Targets
MiniFlame is highly targeted, only having infected a few dozen computers. It targets specific files, said Kaspersky Lab researcher Roel Schouwenberg. "We currently assume that miniFlame is installed via Flame and Gauss. This leads us to believe that infections are only found on extremely high-value targets."
Oct 17, 2012 10:33 AM PT
Security researchers have identified a new offshoot of the notorious Flame espionage malware. The malware, called "miniFlame," creates a backdoor in the systems that it infects. That backdoor can then be used by an attacker to gain access an infected machine. The attacker can then write files to the compromised computer, snatch files from it or snap screenshots of its display.
Although miniFlame is related to large-scale cyberespionage software like Flame and Gauss, its scope is narrowly focused. "If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool," Kaspersky Lab explained.
While Kaspersky estimates that Flame and Gauss have infected more than 10,000 systems, miniFlame has infected only a few dozen systems in western Asia. "This indicates that SPE is a tool used for highly targeted attacks, and has probably been used only against very specific targets that have the greatest significance and posing the greatest interest to the attackers," Kaspersky reasoned.
Only For High-Value Targets
Aside from establishing a backdoor into a machine, miniFlame is interested in certain files and programs on the computer, explained Kaspersky senior researcher Roel Schouwenberg.
"We currently assume that miniFlame is installed via Flame and Gauss," he told TechNewsWorld. "This leads us to believe that infections are only found on extremely high-value targets. We don't know what these targets are."
While it's been documented that the United States had a hand in developing the Stuxnet cyberweapon that disrupted Iran's nuclear development program, the source of Flame and Gauss hasn't been determined. However, the discovery of miniFlame does say something about that source, Schouwenberg observed.
"It further affirms our belief that Flame and Gauss were two parallel operations commissioned by the same entities," he said.
As more information is discovered about these espionage malware families, the messier the development process appears to have been, according to Vikram Thakur, principal security response manager at Symantec.
Multiple threats were created to support a specific agenda. "Initially," he told TechNewsWorld, "the agenda may have been very targeted toward one specific end goal, but it most likely grew to encompass additional targets."
"The use of multiple malware variants could be attributed to different development teams or to different mandates, where one group wasn't necessarily aware of the other for operational security reasons," he observed.
The bottom line for all these variants is the same. "All of these different malware families are doing largely the same thing: gathering intelligence," he said.
Costly To Build
The families have another thing in common: the cost of developing them, according to Aryeh Goretsky, a researcher at Eset."The cost of writing a Stuxnet is a lot less than sending spies into a country, but they're still extraordinarily high, compared to other pieces of malware," he told TechNewsWorld.
For example, Flame's attack on Microsoft's Windows update system was costly to design. "That could only have been built using a supercomputer," he maintained.
From a researcher's point of view, the discovery of miniFlame connects a few more dots in the Flame picture, according to Jim Walter, managing director for McAfee's Threats Intelligence Service. "It solidifies much of what we already knew from the broader 'Flame' attack, and it provides interesting insight into the modular bits and pieces that were previously incomplete," he told TechNewsWorld.
"These discoveries will be occurring for the foreseeable future as we continue to analyze the pieces and build a clear bigger picture of the larger attacks," he added.
Nations Teaching Criminals
If cyberweapons were the exclusive domain of nation-states, the threat to the public would be less than it actually is, argued Tom Kellermann, vice president of cybersecurity at Trend Micro.
"This evolution of attack code ushers in an era where [attackers] can continue to colonize systems because they are learning from the actions of nation-states who have begun to enter the fray of cyberwarfare," he told TechNewsWorld.
Perimeter defense technologies -- including antivirus software and firewalls -- are becoming ineffective against these kinds of attacks, he said.
"What worries me is that miniFlame, under some other name, will be used by criminal groups or terrorists," he said.