The most significant IT security incidents of the third quarter of 2012 were related to activity by the Madi, Gauss and Flame malware, according to Kaspersky Lab.
The Madi campaign of penetrating computer systems went on for almost a year and targeted the infrastructure of engineering firms, government organisations, banks and universities in the Middle East. The malicious components were distributed via attacks that were based on a set of well-known, unsophisticated technologies. Despite the simplicity of the technology, cyber-criminals managed to keep their victims under close surveillance for extended periods of time.
The more sophisticated Gauss malware, classified as a ‘cyber-weapon’ by experts, was discovered in the course of an investigation initiated by the International Telecommunication Union (ITU) after the discovery of the Flame malware. Essentially, Gauss is a nation-state sponsored “banking” Trojan. In addition to its other spyware payload, it is aimed at stealing a variety of information about online banking systems of infected PC users in the Middle East. Gauss secretly forwards to administration servers passwords, inserted or saved in the browser, cookie files and configuration details of the infected system. Gauss is based on the Flame platform and shares some features with Flame, such as routines for infecting USB drives.
Kaspersky Lab staff were also able to gain new information on Flame command-and-control (C&C) servers. The C&C code supports three communication protocols. It handles requests from four malicious programs, codenamed by the authors as SP, SPE, FL and IP. Of these four malicious programs, only two are known at this time: Flame and SPE (aka miniFlame).
Countries at risk
Threat geography also saw interesting changes. There was a new leader among countries hosting malicious content, with Russia (23.2 per cent) overtaking the USA (20.3 per cent).
In Q2, the top 20 countries at risk of computer infection via the internet consisted exclusively of countries from the former Soviet Union, Africa and South-East Asia. In the third quarter it also included two South European countries: Italy (36.5 per cent) and Spain (37.4 per cent). Russia was replaced by Tajikistan as the most dangerous place to surf the web, with 61.1 per cent of users in the Central Asian country encountering antivirus detections when online.
The full version of the report “IT Threat Evolution: Q3 2012” is available at http://www.securelist.com/en/analysis/204792250/IT_Threat_Evolution_Q3_2012
