Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Gauss-pursuing researcher trips over Kaspersky-operated sinkhole

From: InfoSec News <alerts () infosecnews org>
Date: Fri, 24 Aug 2012 08:08:19 -0500 (CDT)
http://arstechnica.com/security/2012/08/gauss-espionage-malware-phones-home-to-same-servers-as-iran-targeting-flame/

By Dan Goodin
Ars Technica
Aug 23, 2012
Because of incorrect research contained in the original report, this article previously misidentified a command and control server that was being accessed by computers infected by the Gauss espionage malware. Contrary to that report, the server is operated by researchers with antivirus provider Kaspersky Lab. Such "sinkholes" are used disrupt computer botnets by preventing infected machines from reporting to malicious servers under the control of the malware operator.
Shortly after this article was published, Kaspersky Chief Security Expert Alexander Gostev issued the following statement: 

    After discovering Gauss we started the process of working with
    several organizations to investigate the C2 servers with
    sinkholes. Given Flame's connection with Gauss, the sinkhole
    process was being organized to monitor both the Flame and Gauss’
    C2 infrastructures. It’s important to note that the Gauss C2
    infrastructure is completely different than Flame's. The Gauss C2s
    were shut down in July by its operators and the servers have been
    in a dormant state by the operators since then. However, we wanted
    to monitor any activity on both C2 infrastructures.

    During the process of initiating the investigation into Gauss C2s
    and creating sinkholes we notified trusted members of the security
    and anti-malware community about the sinkhole IP and operation so
    that they were aware of any activity. FireEye's post about the
    Gauss C2 samples connecting to the same servers as Flame are
    actually our sinkholes they're looking at.

    With some easy Googling and checking on WhoIs, researchers could
    have verified all of this.

    Since the investigation and sinkhole operation are still in
    progress we do not have any more information to provide at this
    time.
Late on Thursday afternoon, FireEye, the security firm that published the findings, published a retraction. 

[...]
Previous By Date Next
Previous By Thread Next

Current thread: