Kaspersky Lab uncovers 'miniFlame'

Kapersky has  discovered new malware dubbed ‘miniFlame’, cyber espionage software directly linked to Flame.

The miniFlame program, also referred to as SPE, was originally picked up by security experts in July while analysing the Flame virus, a program responsibly for espionage attacks on Windows based computers in the Middle East.  At the time Kaspersky labelled the Flame malware the most sophisticated cyber weapon yet discovered.  The new discovery shows that the scale of the operation is larger than first imagined.

Further findings have now shown that while miniFlame is based on the same architecture as Flame, it can also be used both independently as a malicious program, as well as acting as a plug-in for Flame and Gauss.  The intention for the program is to be used as a cyber espionage tool, Kaspersky Lab says, operating as a backdoor for data theft, allowing the creators direct access to the infected computer.

The number of computers infected by miniFlame is lower than its counterparts however, with Kaspersky Lab claiming that noting that between 10-20 machines have fallen victim to the virus. The total figure is estimated to be up 60 worldwide.  Those infected were most likely already infected with the Flame virus, forming the “second wave” of a targeted cyber espionage attack aimed at stealing information.

According to Kaspersky, versions of miniFlame were created in 2010 and 2011, and some of the six variants are still considered active.  It is expected that development of the malicious program could have started as far back as 2007.

“MiniFlame is a high precision attack tool,” said Alexander Gostev, Chief Security Expert, Kaspersky Lab, describing the malware. “Most likely it is a targeted cyber weapon used in what can be defined as the second wave of a cyberattack.”

“First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information,” he said. “After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage.”

This could involve taking screenshots of infected computers, or a USB drive could be controlled to store data collected from infected machines without an internet connection.

The analysis of miniFlame also highlighted the cooperation between the creators of Flame and another virus, Gauss, with miniFlame designed to operate alongside both malware programs.

Furthermore Kaspersky contends that with links already established between the creators of Flame and Stuxnet, the viruses are all likely to have originated from the same source.   

The US government has so far been widely linked to both Flame and Stuxnet, which was responsible for attacks on Iranian infrastructure and nuclear facilities.