New Gauss and Flame link was a mistake, researchers say
FireEye Malware Intelligence Lab researchers say they made a mistake in saying Gauss-infected machines were being directed to servers used by Flame.
Editor's note: This story and its headline have been updated and corrected to reflect new information provided by the researchers that completely changed their conclusions.
Researchers today said that hackers behind the Gauss cyber-espionage malware targeting banks in the Middle East were directing infected computers to connect to a command-and-control server used by the Flame spyware. However, later in the day they said they were mistaken and that other researchers had control of the server instead.
"In our post earlier today, we concluded that there was some sort of relationship between the Gauss and Flame malware actors based on observing CnC communication going to the Flame CnC IP address," FireEye Malware Intelligence Lab said in an update to its original post. "At the same time, the CnC domains of Gauss were sink-holed to the same CnC IP. There was no indication or response in the communication originating from the CnC server to indicate that it may have been owned by another member of the security research community. In light of new information shared by the security community, we now know that our original conclusions were incorrect and we cannot associate these two malware families based solely upon these common CnC coordinates."
Connections between Gauss and Flame had been made by Kaspersky Labs, which firsttwo weeks ago. Those researchers said at the time that they believed Gauss came from the same "factory" that gave us Stuxnet, Duqu, and Flame.
It's not surprising the malware might be connected given how they operate and their targets. Stuxnet, which appears to have been designed to sabotage Iran's nuclear program, was the first real cyberweapon targeting critical infrastructure systems. The U.S., with help from Israel and possibly others, is believed to have been behind Stuxnet and Flame, to thwart Iran's nuclear program and preempt a military strike, according to several reports.
In its earlier post, which FireEye left up on its site, the researchers had said: "Gauss bot masters have directed their zombies to connect to the Flame/SkyWiper CnC to take commands. "Previously Kaspersky found intriguing code similarities between Gauss and Flame, but this shift in its CnC confirms that the guys behind Gauss and Flame/SkyWiper are the same." The infected computers were previously directed to servers in Portugal and India, but are now connecting to an IP address in The Netherlands, the post said.
"It seems like these guys are getting more confident and blatant with each passing day," the original post had said. "Previously, in case of Flame, anonymity feature was used while registering domains, they could have done the same for Gauss but they opted for fake names like Adolph Dybevek, Gilles Renaud etc and now they are openly sharing resources and adding more modules/functionalities (banking as recent example) to their malicious software.
Meanwhile, two of the computers found to be infected with Gauss are in the U.S. at "well-reputed companies," the post said. The targets have mostly been banks in Lebanon.