FireEye Spotted Gauss Infected Systems in Flame Servers

Security Firm, FireEye's last blog referred Gauss-infected systems' plunge to connect old Flame command and control (CnC) servers, reported securitywatch.pcmag.com on August 23, 2012.

Explaining FireEye's research in detail, Ali Islam, a Researcher with FireEye, said he of late observed Gauss-infected machines associated to command servers that employs the same IP address as Flame. The Gauss operators performed this by mapping the domain addresses secuurity.net and gowin7.com to the Netherlands-based IP address 95.211.172.143, which earlier had been observed to hosting Flame- exclusively infected machines

Islam, a Researcher with FireEye, while explaining it said that he recently observed that Gauss-infected machines connecting to command servers use the same IP address as Flame.

The function takes place by mapping the domain addresses secuurity.net and gowin7.com to the Netherlands-based IP address 95.211.172.143, which were earlier observed to be hosting Flame-infected machines. However, pseudonymns are facilitating the registration of the domains as an alternative of anonymous registration services and the sharing of IP addresses, commented Islam who said that the two actors don't materialize to be trying to hide the affiliation between the two Trojans, as published by arstechnica.com on August 23, 2012.

But after the passage of sometime, and FireEye findings went live, researchers from Kaspersky Lab lit up Twitter with posts that indicated that it was an error in FireEye's findings: The activity FireEye was seeing from Kaspersky's sinkhole to study Gauss and Flame.

Nevertheless, after posting the findings, researches from Kaspersky Lab shed light on it through Twitter, tweeting an error in FIreEye's findings. The activity that was monitored by FireEye was a sinkhole from Kaspersky's sinkhole to study Gauss and Flame.

According to Alexander Gostev, Chief Security Expert at Kaspersky Lab, Gauss was studied. Researchers started with the process of working along with other organizations towards monitoring the C2 servers with sinkholes. Considering Flame's association with Gauss, the sinkhole process was in progress to be organized for monitoring both Flame and Gauss C2 infrastructures. It is noteworthy to state that the Gauss C2 infrastructure is entirely different than Flame's. In July 2012, Gauss C2s were shut down by the operators and the servers have remained dormant since then, as published in cso.com.au on August 24, 2012.

Gostev further added that during the process of exploration into Gauss C2s and creating sinkholes, researchers identified reliable members of the security and anti-malware community about the sinkhole IP and operation.

Last but not the least, FireEye regretted for its findings saying that the lack of information exchange about such activities often leads to misleading conclusions.

Related article: Free Web Host Services: spammer’s bull’s eye

» SPAMfighter News - 8/30/2012