The malware is one of the four strains of viruses Kaspersky found after analyzing code from Flame’s command and control servers. There, researchers discovered communications protocols for IP, SPE, SP, and FL. “FL” was quickly identified as Flame. SPE is today’s miniFlame. Kaspersky says SP is likely an older version of SPE. IP is yet to be found and is the youngest of the four.
Flame was discovered earlier this year and was quickly labeled one of the most advanced cyber espionage tools known. It targets the Middle East and is packed with modules that all perform some sort of spying technique such as turning on the computer’s microphones to record audio and taking screen shots when certain communications apps are open such as email or Skype. Gauss was found soon thereafter targeting systems in Lebanon, specifically programmed to steal bank account login credentials and other associated data.
Gauss can also use miniFlame as a plug-in, which strengthens the idea that the Flame and Gauss malware writers were in some way connected. When Gauss uses miniFlame, however, it refers to it as “John.”
Flame is similarly connected to the Stuxnet and Duqu viruses, as it shares a separate module with the two.MiniFlame doesn’t target specific regions, but there are several variations of miniFlame that target places like Pakistan and Iran. There have also been some cases found in France. Thus far, researchers have only found six of these variants but believe there are up to six more. Those currently under watch were created between 2010 and 2011, though the protocol for miniFlame, SPE, was created in 2007.
Unlike Flame or Gauss, the creators of miniFlame can control the computer it infects through a backdoor miniFlame sets up. Once in it listens to commands that all go by names. These include:
- Fiona: Writes files to the machine
- Sonia: Data stealing, sends files back to the command and control servers
- Sam: Puts the computer to sleep for “specified amount of time”
- Barbara: Takes a screenshot if a specific application is open
Others include Elvis, Eve, Drake, Charles, Alex, and Tiffany.
How miniFlame actually gets installed onto victims’ computers is still unknown. Researchers believe it could be deployed from the command and control server when Flame and Gauss infect the system, though it can operate without the aid of Flame and Gauss.
Read more at http://venturebeat.com/2012/10/15/miniflame-malware/