Meet the Flame virus’s mean little sibling

So it looks like the Flame and Gauss viruses that infected thousands of computers in the Middle East with advanced spyware over the last few years were merely meant to identify valuable targets. Once a person of interest was found by those big bugs, a much smaller, more precise tool, dubbed miniFlame, was sent in ...

Kaspersky Lab
Kaspersky Lab
Kaspersky Lab

So it looks like the Flame and Gauss viruses that infected thousands of computers in the Middle East with advanced spyware over the last few years were merely meant to identify valuable targets. Once a person of interest was found by those big bugs, a much smaller, more precise tool, dubbed miniFlame, was sent in to pillage their machines, according to a brand new report by Kaspersky Lab

Basically, miniFlame operates as a backdoor allowing its operators to grab any file from an infected machine, according to an Oct. 15 announcement by the lab. MiniFlame can also take screenshots of an infected computer while it's running a web browser, Microsoft Office programs, Adobe Reader, instant messenger service, or an FTP client. MiniFlame's operators can also send out a separate "module" to infect a victim's USB drives and use them to store data that's collected from infected machines when they aren't connected to the an Internet.

"Most likely it is a targeted cyber weapon used in what can be defined as the second wave of a cyber attack," explained Alexander Gostev, Kaspersky Lab's chief security officer in an Oct. 15 press release "First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss."

So it looks like the Flame and Gauss viruses that infected thousands of computers in the Middle East with advanced spyware over the last few years were merely meant to identify valuable targets. Once a person of interest was found by those big bugs, a much smaller, more precise tool, dubbed miniFlame, was sent in to pillage their machines, according to a brand new report by Kaspersky Lab

Basically, miniFlame operates as a backdoor allowing its operators to grab any file from an infected machine, according to an Oct. 15 announcement by the lab. MiniFlame can also take screenshots of an infected computer while it’s running a web browser, Microsoft Office programs, Adobe Reader, instant messenger service, or an FTP client. MiniFlame’s operators can also send out a separate "module" to infect a victim’s USB drives and use them to store data that’s collected from infected machines when they aren’t connected to the an Internet.

"Most likely it is a targeted cyber weapon used in what can be defined as the second wave of a cyber attack," explained Alexander Gostev, Kaspersky Lab’s chief security officer in an Oct. 15 press release "First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss."

Stuxnet is the famous cyber weapon that destroyed Iranian uranium enrichment centrifuges several years ago by gaining access to the Supervisory Control and Data Acquisition (SCADA) software that controlled the centrifuges. Duqu is a piece of malware believed to be aimed at gathering intelligence about a target’s SCADA systems.

While Flame (shown above) and Gauss infected thousands of machines throughout the Middle East, miniFlame has only been found in a few dozen, reflecting the precision nature of the weapon. Interestingly, miniFlame has hit victims in France and the USA not just the Middle East, though the main victims appear to be in Iran and Lebananon, says one of the Lab’s reports on the Malware.

“It’s important to understand that the other – bigger – operations were basically about data and information gathering," wrote Roel Schouwenberg, senior researched at Kaspersky Lab, in an Oct. 15 email to Killer Apps.  "Overall these operations infected many thousands of computers, while we estimate that miniFlame was deployed merely dozens of times. miniFlame gives the attacker more direct access to and control over a specific machine. It’s only intended to be used for extremely high-value targets.”

Here are the basic facts about miniFlame, according to the lab

  • miniFlame, also known as SPE, is based on the same architectural platform as Flame. It can function as its own independent cyber espionage program or as a component inside both Flame and Gauss.
  • The cyber espionage tool operates as a backdoor designed for data theft and direct access to infected systems.
  • Development of miniFlame might have started as early as 2007 and continued until the end of 2011. Many variations are presumed to be created. To date, Kaspersky Lab has identified six of these variants, covering two major generations: 4.x and 5.x.
  • Unlike Flame or Gauss, which had high number of infections, the amount of infections for miniFlame is much smaller. According to Kaspersky Lab’s data, the number of infections is between 10-20 machines. The total number of infections worldwide is estimated at 50-60.
  • The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss.

 

Flame was discovered earlier this year on Middle Eastern computers and it was aimed at grabbing screenshots of victim’s machines, recording keystrokes, and even capturing audio files and video chats. Gauss, also discovered this year appeared to have been aimed at Middle Eastern financial sector where it collected information such as passwords off of victim’s web browsers. Many believe that Flame and Gauss were developed by the United States or Israel and were designed to gather intelligence on Iranian interests in the Middle East.

Speaking at a cyber security conference in Washington last month, Eugene Kaspersky, founder of Kaspersky Lab said that if the famous Stuxnet virus is analogous to a car, Flame and Gauss are space shuttles in terms of sophistication.

"With Flame, Gauss and miniFlame, we have probably only scratched surface of the massive cyber-spy operations ongoing in the Middle East," reads Kaspersky’s report on the new virus. "Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown."

 

John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.

More from Foreign Policy

An illustration shows George Kennan, the father of Cold War containment strategy.
An illustration shows George Kennan, the father of Cold War containment strategy.

Is Cold War Inevitable?

A new biography of George Kennan, the father of containment, raises questions about whether the old Cold War—and the emerging one with China—could have been avoided.

U.S. President Joe Biden speaks on the DISCLOSE Act.
U.S. President Joe Biden speaks on the DISCLOSE Act.

So You Want to Buy an Ambassadorship

The United States is the only Western government that routinely rewards mega-donors with top diplomatic posts.

Chinese President Xi jinping  toasts the guests during a banquet marking the 70th anniversary of the founding of the People's Republic of China on September 30, 2019 in Beijing, China.
Chinese President Xi jinping toasts the guests during a banquet marking the 70th anniversary of the founding of the People's Republic of China on September 30, 2019 in Beijing, China.

Can China Pull Off Its Charm Offensive?

Why Beijing’s foreign-policy reset will—or won’t—work out.

Turkish Defense Minister Hulusi Akar chairs a meeting in Ankara, Turkey on Nov. 21, 2022.
Turkish Defense Minister Hulusi Akar chairs a meeting in Ankara, Turkey on Nov. 21, 2022.

Turkey’s Problem Isn’t Sweden. It’s the United States.

Erdogan has focused on Stockholm’s stance toward Kurdish exile groups, but Ankara’s real demand is the end of U.S. support for Kurds in Syria.