Monday, October 22, 2012

The Story Continues: MiniFlame

Early July 2012, a smaller Flame module was discovered. This module had many similarities with Flame, so at the beginning it was believed that it might simply be an earlier version or the Flame malware. Few months later, it was found that not only there exists a connection between this malware and Flame, but also came across examples of this module being used concurrently with Gauss and being controlled by the Gauss main module.
Unlike Flame, which is designed for "massive spy operations," miniFlame is "a high precision, surgical attack tool,"
Researchers found that MiniFlame was something of super stealth assassin compared to the other programs. Whereas Flame, Duqu and Gauss had large missions to infiltrate multiple computers in countries like Iran, Syria and Lebanon, MiniFlame targeted just a few select victims in what Kaspersky calls “highly targeted attacks.” Kaspersky reported that MiniFlame, while rare compared to the more well-known malware packages, was more likely to show up in a variety of countries, including a computer located at the Francois Rabelais University in Tours, France.
Kaspersky Lab data indicates the total number of infections worldwide is just 50 to 60, including computers in Lebanon, France, the United States, Iran and Lithuania. "Most likely it is a targeted cyber weapon used in what can be defined as the second wave of a cyber attack."

Kaspersky determined that one machine in Lebanon is the lucky recipient of every nasty cyber weapon in the family:
There is one machine in Lebanon – what senior Kaspersky researcher Roel Schouwenberg calls “the mother of all infections” – which has Flame, Gauss, and miniFlame/SPE on it. “It is like everybody wanted to infect that specific victim in Lebanon for some reason,” he says.
Th Russian antivirus company believes that there are two more malware packages still in the wild, currently code-named only SP and IP. They may function much like the previously known malicious programs, churning through the guts of target computers for sensitive data to send home to their controllers before they execute the final trick in their arsenal, deleting themselves and vanishing from the infected system as if they’d never been there at all.

MiniFlame operates "as a backdoor designed for data theft and direct access to infected systems," which said development of the malware might have started as early as 2007 and continued until the end of 2011, with several variations.

Finally:  to protect yourself
1- Make sure that your anti virus definitions are up to date. 
(I assume that you already use an antivirus.)
2- Continuously monitor all the PCs you use for the Trojan "win32.Gauss" 
3- Refrain from Using the Option "Save Password" that stores your credentials within web browsers.
4- Keep your Operating System Up to date. 
5- Change your Password using a trusted clean, in case you doubt that your PC is or was compromised by Gauss or any other Virus.
6- Exercise cautious when using external storage devices (CDs, USBs), in order to limit the propagation of the Gauss or any other infection.
More info on

Tuesday, October 9, 2012

AUB: Information Security Alert: e-Scams‏

I received an email message from my University administrator that I would like to share:
AUB: American University of Beirut.

From: Administrator <>
Date: Tue, 9 Oct 2012 09:30:32 +0300
Subject: URGENT: Information Security Alert: e-Scams

Dear AUB users,
Some users are receiving messages (please check below) asking them to provide their credentials (e.g. username, password, email) in order to upgrade their accounts:

This is a scam message (also known as “phishing”), which involves Internet fraudsters who send spam emails or pop-up messages to lure innocent users to submit their personal information (passwords, credit card numbers, bank account information, Social Security numbers, or other sensitive information) from unsuspecting victims. In this case, the scammer’s interest is your AUBnet’s username and password.

So please beware of such scams and phishing messages and remember that the IT Staff in general and IT Helpdesk in particular at AUB and AUBMC will not request you to provide them with your Passwords via email, or in person, or via telephone. To counter these activities, the anti-spam tools that we have deployed on our systems would block the malicious emails and our IT team takes precautionary measures by blocking this type of emails.

If you provided your password by responding to the phishing email, please change your password IMMEDIATELY by doing the following: 
1-    Go to AUB’s home page (
2-    Click on “Faculty and Staff” or “Student Life”
3-    Click on “Computing Services for AUB Faculty or Staff
4-    Under Quick Access, click on “Change AUBnet password”

For further help, please contact the IT Help Desk Team in the IT Customer Success department at Extension 2260.

For more information about online scams, please check

For more information about phishing, please check

 The Original Scam message looks like this: 
From: American University of Beirut Webmaster
Date: 8. Oktober 2012 21:29:46 GMT+03:00

Reply-To: American University of Beirut Webmaster <>

Dear AUB Communications Subscriber,
Strange activity has been detected in your AUB Communications account, which is against our Acceptable Use Policy (AUP). This account is suspected to have been hijacked, for a proof of ownership Kindly fill the blank space below for verification form within 48hours on receipt of this mail.

Full Name:
Current Username/ID:
Current Password:
Date of Birth:

Enter all this information accurate and complete, otherwise for security reasons we may have to close your AUB Communications account permanently. Please understand that this is a security measure intended to help protect you and your AUB Communications account.

We apologize for any inconvenience.

Webmaster Administrator
© - 2007 - (Web Master) AUB. All Rights Reserved

Best Regards,