Malware and the threat of the Mini-Me

Opinion by Darien Kindlund

Today's cyber criminals have shifted their efforts from somewhat low-level, financially motivated attacks on unwitting individuals, to all out enterprise-class assaults on large corporations and even nations in the hope of stealing precious intellectual property and other high value confidential data.

Today's cyber criminals have shifted their efforts from somewhat low-level, financially motivated attacks on unwitting individuals, to all out enterprise-class assaults on large corporations and even nations in the hope of stealing precious intellectual property and other high value confidential data.

The prevalence of cyber war and state-sponsored espionage campaigns – which was first pushed to the forefront by a spate of high-profile malware discoveries - also appears to be escalating as evidence of equally advanced, increasingly targeted off-shoots of these ‘parent' viruses is coming to light.

While much media attention surrounded the unearthing of sophisticated malware such as Flame, Stuxnet and Gauss, it now appears that there were several ‘mini' versions of these viruses released into the wild from the same factory of hackers – most likely around the same time that their famous parents were unleashed.

Junior variants such as the recently reported ‘miniFlame', a smaller-scale, highly targeted version of the Flame virus, have serious implications when you consider the growing threat of cyber war and increased sensitivity around intellectual property theft worldwide.

MiniFlame has been said to focus its attacks almost exclusively on IT systems in Western Asia, signalling a second wave of targeted international cyber espionage campaigns, as nations continue to tap into the growing use of sophisticated malware to indirectly attack one another.

The dynamic between generations of malware is certainly an interesting one. While variant strains of headline viruses are arguably just as dangerous as their parents in terms of genetic complexity, under-the-radar viruses such as miniFlame are more adept at moving through signature-based defences undetected. In other words, they are designed to better hone in on target systems and to wreak maximum havoc once within the confines of the network.

This presents a two-stage attack scenario – large viruses such as Flame cast a comparatively wide net and identify the potentially lucrative targets, before their offspring set to work drilling further into the target system.

The probable scope of these mini variants is also an alarming prospect. Based on reports of the nature of the command/control infrastructure of miniFlame, it is safe to assume that other variants of Flame – and indeed other well-documented viruses – are in existence. 

The potential for this combination of malware to wreak havoc on a target system is also dictated by the order in which they were discovered. For instance, if the parent malware was discovered before any of the junior variants were used, the parent malware can prove more damaging than the off-shoots, mainly because it provides clues to security researchers, which helps them better identify other variants inside the victim organisations before they can do too much damage.

Conversely, if the junior variants are discovered first, it can be more difficult for experts to expand their scope of analysis to look for indicators of parent genesis malware – particularly if the parent virus has not been widely used in one or more attacks and remains relatively unknown.

With the original development of miniFlame thought to date back as far as 2007, it is perhaps then just a neat coincidence that the variant was uncovered after a period during which Flame had been credited as the ‘most sophisticated computer virus in the world'.

It is more apparent than ever that we are now in an age of heightened cyber security threats, where different generations of malware are in simultaneous play, and attackers are equipped with the necessary tools to launch successful advanced, persistent threats on enterprises and government organisations alike.

Under-the-radar viruses such as miniFlame are a worrying indication of the expertise and determination of today's threat actors. Indeed, the highly complex nature of malware being discovered today is unfortunately the final nail in the coffin of traditional perimeter-based defences and anti-virus as standalone measures of defence – and urgent, proactive measures must be taken by organisations, governments and nations to ensure networks are defended as robustly as possible from these next-generation threats.

After all, it seems that further discoveries of a similar nature have become very much inevitable.

Darien Kindlund is senior staff scientist at FireEye

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events