Wednesday 24 October, 2012
Kaspersky Labs has recognized a new malware program called MiniFlame that’s designed to spy on individual Internet users. It does targeted surveillance, which means that it analyzes data on a number of users and narrows it down to a handful that it considers worth attacking.
The malware is called MiniFlame because of its resemblance to the Flame and Gauss cyber-espionage malware programs that emerged this year. It was discovered while Kaspersky Labs was analyzing the Flame program and technicians at first believed it was part of Flame. They’ve since identified it as a separate program.
MiniFlame was identified in July 2012 but it’s believed to have been around for several years. Kaspersky has identified six variants but there could be more. At the time of writing, only around 60 computers have been infected. Most are located in Western Asia and it’s suspected that they’re computers that were already infected by Flame or Gauss.
MiniFlame has a similar architectural platform to Flame and Gauss. It steals data from a large number of users and then analyzes this data to find good targets. One major difference between the programs is that MiniFlame does more in-depth analysis before choosing its victim. This is why it has only infected very few computers compared to Flame and Gauss, which have infected thousands.
When Flame and Gauss were first detected, the connection between them was not known. However, the discovery of MiniFlame shows that they’re connected, along with several other similar programs. The discovery of MiniFlame will likely help investigators find the control centers of all of these programs and shut them down.
Another difference is that although most known infections have occurred in Western Asia, MiniFlame is not focused on a specific region. Flame hit users in Iran and Sudan while Gauss hit users in Lebanon, but MiniFlame infections have been found in Lebanon, Palestine, Kuwait, Iran and Qatar thus far.
Flame and Gauss were used to steal information from banks in these countries.
The Most Sophisticated Cyber-Spy Tool
It’s believed that once Flame infects a computer, it can then be easily infected by MiniFlame. MiniFlame can send out a piece of code called browse32 which gets rid of the Flame infection and prevents the program from being reinstalled.
When it was discovered last May, Flame was pronounced by security experts to be the most sophisticated cyber-spy tool yet. It can analyze network traffic, take screenshots, log keys being typed, record audio conversations, and much more. All of this data is then sent to the program’s command-and-control servers. It’s a total surveillance package.
Kaspersky Labs feels that it has just scratched the surface of a massive cyber-spy operation. The identities and motives of the attackers are not yet known.