| SAN FRANCISCO
SAN FRANCISCO Oct 15 The security company that
has discovered some of the most sophisticated spying software
unearthed to date says it found a related program, dubbed
"miniFlame," which can carry out more precise attacks on targets
in the Middle East.
While the original Flame virus swept in data from perhaps
5,000 computers, largely in Iran and Sudan, the new miniFlame
struck only about 50 "high-value" machines, according to
Kaspersky Lab research published on Monday. Ira n had previously
blamed Flame for causing data loss on computers in the country's
main oil export terminal and Oil Ministry.
"Flame acts as a long sword for broad swipes while miniFlame
acts as a scalpel for a focused surgical dissection," Roel
Schouwenberg, a senior researcher at Moscow-based Kaspersky Lab,
Kaspersky theorized that miniFlame was distributed mainly by
Flame and another recently discovered spyware program, Gauss,
which was most prevalent in Lebanon and may have been aimed at
tracking financial transactions.
Not much is known about miniFlame's victims, except that
they were more geographically dispersed than those of Flame and
Gauss. Infections were found in Lebanon and Iran most of all but
also in the Palestinian Territories, Iran, Kuwait, and Qatar,
according to Kaspersky.
Kaspersky and U.S. security software company Symantec Corp
have said that some of the code in Flame also appeared
in an early version of Stuxnet. Found in 2010 and aimed at
Iran's nuclear enrichment program, Stuxnet is sometimes
described as the first true cyber-weapon. Cybe r experts widely
believe Stuxn et is an American project.[ID: nL1E8HB2GW]
Kaspersky and Symantec said in a joint research paper last
month that Flame's control software remotely directed a number
of smaller programs, and that the effects of only one of those
programs was clear.
Symantec said at the time the overall project "fits the
profile of military and intelligence operations," in part
because encryption kept some operatives in the dark about what
data they were taking from infected machines.
The many technological innovations in Flame included its
hijacking of Microsoft Corp's Windows Update feature,
which is critical for keeping the operating system current as
new security problems come to light.
The new discovery concerns one of the smaller programs
controlled by the Flame command software, referred to in the
original code as SPE.
According to the Kaspersky analysis, it includes a "back
door" allowing for remote control, data theft and the ability to
take screen shots - or images of the computer screen - as the
user engages with Microsoft Office, Adobe Systems Inc's
Reader, web browsers, and other applications.
"MiniFlame is installed in order to conduct more in-depth
surveillance and cyber-espionage," Kaspersky Chief Security
Expert Alexander Gostev said.
Symantec said on Friday it had no new information on Flame
or the related programs.
Kaspersky said that miniFlame worked with Flame and Gauss
but could also operate independently of both, taking orders from
a separate network of command computers. It said the new
discovery makes a stronger case for the connection among all the
programs, though it has not accused any party of authorship.
Kaspersky said it found six versions of miniFlame, the most
recent created in September 2011. Some of the protocols it used
dated to 2007, making it a long-running effort.
MiniFlame responded to a series of commands given Anglo
first names by the program authors. "Elvis" created a process on
an infected machine and "Barbara" took a screen shot. "Tiffany"
directed the computer to a new command server.
In a speech on Thursday, U.S. Secretary of Defense Leon
Panetta warned that the country could act pre-emptively against
imminent cyber attacks that would cause "significant physical
damage" or kill U.S. citizens. He said the Pentagon was
rewriting its rules for engagement in cyberspace.
Though it has been ramping up its capabilities, the Pentagon
has said little in public about what it can do.