Saturday, November 10, 2012

Cyber-espionage: Gauss, Madi and others

Cyber-espionage: Gauss, Madi and others

by Siavash,
November 3rd 2012

According to a analysis of security company Kaspersky in IT Threat Evolution: Q3 2012;

Q3 saw a plethora of espionage-related incidents. The most significant of these were related to the activity of Madi, Gauss and Flame malware, which were distributed primarily in the Middle East.

One campaign related to penetrating computer systems went on for almost a year and targeted users primarily in Iran, Israel and Afghanistan. We conducted a joint detailed study of this malware with our partner, an Israeli company called Seculert. The malicious program was named “Madi” based on the strings and identifiers used by the cybercriminals in their malware. The malicious components were distributed via attacks that were based on a set of well-known unsophisticated technologies. This indicates that the victims’ awareness of Internet security left much to be desired.

These attacks involved installing backdoors coded in Delphi on victim machines. They could have been created by an amateur programmer or else by a professional developer who was extremely short of time. The campaign targeted the critically important infrastructure of engineering firms, government organizations, banks and universities in the Middle East. Victims were chosen among users within these organizations whose communications had been under close surveillance for extended periods of time.

The Gauss malware was discovered in the course of an investigation initiated by the International Telecommunication Union (ITU) after the discovery of the Flame malware. Essentially, Gauss is a nation-state sponsored “banking” Trojan. In addition to stealing a variety of data from infected Windows machines, it includes malicious payload which is encrypted and the purpose of which is not yet known. The malicious program activates only on systems with certain configurations. Gauss is based on the Flame platform and shares some features with Flame, such as routines for infecting USB drives.

Our experts were also able to gain new information on Flame command-and-control (C&C) servers. A study conducted by Kaspersky Lab experts in cooperation with our partners – Symantec, ITU-IMPACT and CERT-Bund/BSI – has enabled us to make a number of important conclusions. First, the development of code for C&C servers based on the platform began as far back as December 2006. Judging by the comments left in the source code, the project was developed by at least four programmers. The C&C code supports three communication protocols. A major finding is that it handles requests from four malicious programs, codenamed by the authors as SP, SPE, FL and IP.

Of these four malicious programs, only two are known at this time: Flame and SPE (a.k.a. miniFlame).

Based on the data collected from the study, we can state that the cyber-espionage story looks set to continue in the near future. The objective of the work performed by Kaspersky Lab is to mitigate the risks which have arisen with the emergence of cyber weapons.

Original Page:

Shared from Pocket

No comments:

Post a Comment