Alex. Barbara. Charles. Drake. Elvis. Eve. Fiona. Sam. Sonia. Tiffany.
What do all these names, some of which belong to popular singers, have in common? They’re commands used by a new state-sponsored computer-espionage tool discovered by Russian anti-virus firm Kaspersky Lab.
The espionage tool, dubbed “John” by its creators but “miniFlame” or “SPE” by Kaspersky researchers, appears to have come from the same malware factory that created Stuxnet, Duqu, Flame and Gauss.
“If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high-precision, surgical attack tool,” wrote an unnamed Kaspersky researcher in an official blog posting Monday.
Your tax dollars at work
Kaspersky’s report, while exhaustive, discreetly avoids the elephant in the room: All the above-named pieces of malware, plus miniFlame, are probably the work of American intelligence agencies. All of them primarily target computer systems in the Middle East, and miniFlame is no exception.
“We believe that the choice of countries depends on the SPE variant,” the Kaspersky blog posting said. “For example, the modification known as ‘4.50’ is mostly found in Lebanon and Palestine. The other variants were reported in other countries, such as Iran, Kuwait and Qatar.”
[Defense Secretary Warns of ‘Cyber-Pearl Harbor’]
The largest number of infected machines was found in Lebanon. Significant numbers appeared to be in France and the U.S., but Kaspersky discounted many of those as the result of proxy connections bouncing off servers in those countries while masking the users’ true locations.
“MiniFlame is in fact based on the Flame platform but is implemented as an independent module,” said the Kaspersky blog. “It can operate either independently, without the main modules of Flame in the system, or as a component controlled by Flame.”
A Bunsen burner and a cigarette lighter
Flame is a very large, very sophisticated piece of spyware that Kaspersky and other research facilities discovered in May, though it is believed to date back to 2007. (MiniFlame may be a bit younger, with known versions created over a one-year period ending in September 2011.)
Flame infects a targeted computer by posing as a Windows security update — itself a remarkable feat— and then turns the computer into a massive spying device.
It secretly turns on the microphone and webcam to record audio and video, takes countless screenshots, maps out the local network (and infects other machines on it), captures email and instant messages, logs Web-browsing history and copies files. Then it sends all the recorded data to a command-and-control server before erasing itself.
MiniFlame does most of the same things, but with more precision, going after only certain files instead of harvesting everything. It also can send collected data to an attached USB drive if the infected machine is not connected to the Internet, in hopes the USB drive will eventually be plugged into a machine that is. (The Stuxnet worm used a similar “sneakernet” method of distribution.)
Last month, an analysis by Kaspersky and the American anti-virus firm Symantec of two of Flame’s command-and-control servers, which had been seized by European police, revealed that the servers were coded to receive input from four existing pieces of malware: Flame and three others that hadn’t yet been found. Kaspersky thinks that miniFlame is, in fact, one of those three.
Most interestingly, Kaspersky found in today’s report that MiniFlame can be used with Gauss, a bank-account information-stealer that was found targeting Lebanese banks earlier this summer. Until the discovery of miniFlame, there wasn’t anything solidly linking Gauss to the other pieces of state-sponsored malware.
Kaspersky earlier established that some Flame modules were used in an early version of Stuxnet, which crippled an Iranian nuclear-fuel processing facility in 2010. In June, government sources told the Washington Post that Flame was a reconnaissance tool used to “prepare the battlefield” for Stuxnet. Duqu is a seldom-seen information-stealer that shares much of its code with Stuxnet.
All of these pieces of malware may be part of “Olympic Games,” a U.S. cyberintelligence operation directed against the Iranian nuclear program that the New York Times says was begun by President George W. Bush and accelerated by President Barack Obama.
Iran, currently battling crippling international sanctions imposed upon it for not giving up what appears to be a nuclear-weapons program, has a lot of money tied up in Lebanese banks and can be assumed to be using those banks to evade sanctions.
For American intelligence operatives, miniFlame would serve a double duty in both tracking the Iranian nuclear program and the money used to fund it.