The analysis also showed that these communication protocols were used by four separate threats called SP, SPE, FL and IP. FL, which is believed to be Flame, and SP -- possibly an older version of SPE/miniFlame -- use OldProtocol. SPE uses OldProtocolE, while IP, which hasn't been found yet, uses SignupProtocol. RedProtocol is mentioned in the server software, but has not been implemented yet.MiniFlame was discovered at the beginning of July, but has been used since at least 2010. The Kaspersky researchers have found six samples of the malware dating from 2010 and 2011 and have reason to believe that the communication protocol used by the malware was created in 2007 or earlier."We believe that the developers of miniFlame created dozens of different modifications of the program," the Kaspersky researchers said.Kaspersky estimates the total number of miniFlame infections at between 50 and 60, far fewer than the number of Flame infections -- 5,000 to 6,000 -- or Gauss infections -- approximately 10,000."The modification known as '4.50' is mostly found in Lebanon and Palestine," the researchers said. "The other variants were found in other countries, such as Iran, Saudi Arabia and Qatar."Some IP (Internet Protocol) addresses associated with miniFlame-infected computers that contacted the C&C servers between May and September were from the U.S., France and Lithuania. Some of them correspond to proxy or VPN servers that might have been used by the malware's victims, but others do not."With Flame, Gauss and miniFlame, we have probably only scratched surface of the massive cyber-spy operations ongoing in the Middle East," the Kaspersky researchers said. "Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown."
Sign up for Computerworld eNewsletters.