Flame Catches Fire Again
October 15, 2012

Flame Virus Heats Up, Sparks ‘miniFlame’

Michael Harper for redOrbit.com — Your Universe Online

The U.S. and Israeli governments may have just wanted a way to spy on Iran and break down their nuclear plants when they created and released the Flame malware and Stuxnet worm. Did they also predict that these potent pieces of software were susceptible to being released into the wild and duplicated by those without such patriotic intent?

Now, after keeping a diligent eye on the Flame malware in all its variations and releases, the security experts at Kaspersky Labs have discovered yet another version of the spyware which they are calling “miniFlame.”

According to Kaspersky Labs, this new bit of malware is capable of even more precise attacks on targets in the Middle East, as it spies on computers that were once infected by the original Flame.

This is the fourth piece of malware discovered in the last year predicted to have been created by the same collaboration of the U.S. and Israeli government that created Stuxnet. Each of these pieces of malware so far have been found to be used in spying rather than destruction. DuQu, Flame and Gauss were discovered earlier this year.

According to the Kaspersky Labs report, miniFlame (its users call the malware “John or “SPE”) can be used as a backdoor to the machines on which it is installed. Once there, the malware operators can take screenshots of whatever is being displayed on the screen, including screenshots from the web browsers, word processing applications and FTP clients. These shots are then uploaded onto the malware´s command and control (C&C) server.

“Separately, at the request from miniFlame´s C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that´s collected from infected machines without an internet connection,” writes Kaspersky labs in their report.

“MiniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack,” writes Alexander Gostev, Chief Security Expert in the report.

“First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, DuQu, Flame and Gauss.”

The discovery of this new malware comes at a very interesting time for the U.S. government.

Just last week, the House Intelligence Committee issued a scathing report of Chinese companies Huawei and ZTE, suggesting these two telecoms are in bed with the Chinese government and could use any  equipment (servers, routers and the like) sold in the U.S. to spy on American companies.

Until now, there had not been a solid link between Flame and Gauss to prove they came from the same developers. Now, with miniFlame, the researchers say these pieces of malicious software came from the same “cyberweapon factory”  as a larger part of the same operation.

“Neither Flame nor Gauss allow [the attackers] to directly control the infected system,” says Roel Schouwenberg, a senior researcher with Kaspersky, speaking to Wired.

“They´re not designed to allow direct interaction between the attackers and the victim [the way miniFlame does].”