That sinkhole feeling: hunt for Gauss-Flame link ends in security collision

Mega find actually a messy #FAIL.

A security researcher on Thursday thought he found concrete evidence the recently discovered sophisticated Gauss malware was run by the group behind state-sponsored Flame, but what he uncovered was the work of security researchers at Kaspersky Lab.

Security firm FireEye on Thursday reported what could have been a significant discovery in the hunt for connections between two ‘super’ malware samples. For a few hours, Gauss, discovered by Kaspersky Lab in June, was irrefutably run by the same operation that controlled cyber-espionage tool, Flame.

Gauss was found to have targeted banking customers in Lebanon and the Middle East and was unique in that it appeared to be designed to observe financial transactions over the more common task amongst banking trojans of stealing funds.

Kaspersky Lab had drawn connections between the two malware samples, as well as Stuxnet, but only went so far as saying they were made in the same “factory”.

FireEye went a step further in a now retracted claim that two were being operated by the same group. Its key evidence was that two domains Kaspersky Lab picked up as command servers -- and -- had laid “dormant” for some time, but recently changed from pointing to IP addresses located in Portugal and India to addresses thought to be Flame’s Netherlands-based command servers.

“This shift in its CnC confirms that the guys behind Gauss and Flame/SkyWiper are the same,” FireEye malware researcher Ali Islam said on the company’s blog Thursday shortly before it was taken down.

The only problem was that the new server was part of a sinkhole operation used to observe Gauss that was being controlled by researchers at Kaspersky Lab.

Kaspersky Chief Security Expert Alexander Gostev issued Ars Technica with the following statement:

“After discovering Gauss we started the process of working with several organizations to investigate the C2 servers with sinkholes. Given Flame's connection with Gauss, the sinkhole process was being organized to monitor both the Flame and Gauss’ C2 infrastructures. It’s important to note that the Gauss C2 infrastructure is completely different than Flame's. The Gauss C2s were shut down in July by its operators and the servers have been in a dormant state by the operators since then. However, we wanted to monitor any activity on both C2 infrastructures.

During the process of initiating the investigation into Gauss C2s and creating sinkholes we notified trusted members of the security and anti-malware community about the sinkhole IP and operation so that they were aware of any activity. FireEye's post about the Gauss C2 samples connecting to the same servers as Flame are actually our sinkholes they're looking at.

With some easy Googling and checking on WhoIs, researchers could have verified all of this.

Since the investigation and sinkhole operation are still in progress we do not have any more information to provide at this time.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts