7 MiniFlame Facts: How Much Espionage Malware Lurks?

Just how much cyber-espionage malware is currently at large, and who does it target?

Kaspersky Lab Monday revealed that in September 2012, its researchers discovered that a mysterious piece of code connected to the Flame malware, which they suspected was a Flame attack module, could in fact work as a standalone attack program. But the program, dubbed MiniFlame, could also interoperate with both the Flame and Gauss malware, which, like MiniFlame, were built using a related code base.

MiniFlame is notable because it's a nation state-created advanced persistent threat (APT) that was designed to be used in very highly targeted attacks while remaining quite difficult to detect. That, of course, raises the question of what other types of espionage malware may currently be in circulation. Here are seven related facts:

1. Flame spawned more than MiniFlame. Kaspersky Lab estimates that there have been about 10,000 Gauss infections in total, as well as 5,500 Flame infections, but just 50 or 60 MiniFlame infections, meaning the mini-malware was used in very highly targeted attacks.

After reviewing the Flame code base, Kaspersky Lab researchers said they found references to client type "FL"--which was Flame itself--as well as to "SP," "SPE," and "IP." While the researchers said they recently found in-the-wild samples of SPE, a.k.a. MiniFlame, they have yet to find the other two cyber-espionage or cyber-sabotage tools created by the same authors, according to a blog post from the Kasperksy Labs global research and analysis team.

[ For more background on the Flame espionage story, see Meet Flame Espionage Malware Cousin: MiniFlame. ]

2. MiniFlame discovery was a lucky break. Kaspersky Labs, arguably, was lucky to even stumble on MiniFlame, which it found after seeing related communications via one known Flame command-and-control (C&C) server. In other words, thanks to initially finding Flame, Kaspersky found related attack code. But how many more Flame C&C servers may be in use?

3. If Flame targets Middle East, what targets North Korea? Arguably, Flame isn't the only game in town. Accordingly, how many as-yet-undiscovered forms of espionage malware families may be in circulation? To date, most of the Flame-related malware has been "clearly focused on the Middle East," said Eric Byres, CTO of Belden's Tofino Security and founder of the British Columbia Institute of Technology (BCIT) Critical Infrastructure Security Center in Canada. "Guess what--that's not the only theater of interest to the United States."

Just what does MiniFlame (SPE) target? "Unlike Flame, the vast majority of incidents were recorded in Iran and Sudan, and unlike Gauss, which was mostly present in Lebanon, SPE does not have a clear geographical bias," said Kaspersky Lab. "However, we are inclined to believe that the choice of countries depends on the SPE variant. For example, the modification known as '4.50' is mostly found in Lebanon and Palestine. The other variants were found in other countries, such as Iran, Saudi Arabia and Qatar."

Furthermore, the United States is far from the only country using these types of APTs for espionage. "You can bet that anybody with sophisticated military capabilities is doing this too. So where are the Chinese and Russian Flames?" said Byres, speaking by phone.

4. Flame got burned. Arguably, the Flame malware is now of less use to its creators, owing to antivirus companies now having added signatures to spot and remove the malware. But what if Flame was designed to be burned after being discovered, without compromising other cyber-espionage malware?

"The only way that Flame and Stuxnet are linked is that a very early variant of Stuxnet included a module that was very clearly built from the Flame code base," said Byres, who is also an expert on the Stuxnet malware. "But later, it goes away. So you get the sense that later, there's a very clear decision by someone to keep the code apart, because we don't want our Flame operations to impact our Stuxnet operations--or our Stuxnet operations to impact something else."

5. Flame development was likely compartmentalized. Byres, who warned that his knowledge of spying and espionage "is from watching James Bond," said that unlike cybercrime toolkit dashboards, which focus on ease of use, the Flame control dashboards discovered by Kaspersky Labs suggest that the malware is used in a very compartmentalized manner.

"The interface is very cryptic, and it's requiring you to load modules and execute actions. You don't have a nice point and click; this ain't Windows," he said. "So you could have a third party writing the actions and then saying to the operator, 'run this module.'" In other words, whoever's administering Flame could be loading modules and forwarding returned data to an outside party without being any the wiser as to which PCs were being targeted or infected or what type of data was being harvested.

6. U.S. is running a cyberweapons factory. Given researchers' findings that the Flame and Gauss malware appears to have connections to Stuxnet, and U.S. government officials have confirmed, anonymously, that Stuxnet was designed by the United States as part of the so-called "Olympic Games" project, it's obvious that the U.S. government isn't afraid to use malware for espionage purposes. But that raises numerous questions, including who should have the right to use such software, as well as what rights other nations should have to respond to it.

"Is it concerning that the U.S. appears to be a leader in offensive cyber operations? Is the real difference between APT and APF (advanced persistent friendliness) summed up in the amount of trust you have for the motives of the sponsoring nation-state?" wrote Sean McBride, the director of analysis for Critical Intelligence, in a recent SANS Institute newsletter.

7. Criminals learn from malware advances. Another worry from nation states' malware espionage operations is that their tricks will soon be put to use by criminals. In a 2009 report on malware used for surveillance purposes, Cambridge University researchers Shishir Nagaraja and Ross Anderson wrote, "What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course."

In other words, how long will it be until today's Flame becomes the inspiration for tomorrow's financial malware attack?

Organizations challenged by meeting the requirements of multiple regulatory mandates are increasingly looking at the alignment of governance, risk, and compliance under a unified framework, GRC. In our report, A Security Pro's Guide To GRC, we examine where the security professionals figure into the mix and recommend the steps organizations should take to align IT GRC with existing security programs and processes. (Free registration required.)