Friday, 24 August 2012 15:14

FireEye Misidentifies Kaspersky Sinkhole as A Shared CNC Server for Gauss and Flame

Written by

Reading time is around minutes.
News light-virus-1

It appears that the earlier claims from FireEye about a link between Gauss and Flame were a little premature. According to their blog they had found what appeared to be a shared command and control server. This was a significant find as it linked the two serious pieces of malicious code together and would have made Gauss another in the growing list of suspected State-Sponsored cyber-attacks. Unfortunately for FireEye, what they thought was a command and control (CNC) server turned out to be a sinkhole run by Kaspersky Labs.

According to an update posted on FireEye’s blog they made this incorrect conclusion because no one told them there were any sinkholes being run to pull in CNC commands. This led them to believe that it was, in fact, a command and control server.

In our post earlier today, we concluded that there was some sort of relationship between the Gauss and Flame malware actors based on observing CnC communication going to the Flame CnC IP address. At the same time, the CnC domains of Gauss were sink-holed to the same CnC IP. There was no indication or response in the communication originating from the CnC server to indicate that it may have been owned by another member of the security research community. In light of new information shared by the security community, we now know that our original conclusions were incorrect and we cannot associate these two malware families based solely upon these common CnC coordinates.
 
We apologize for any confusion that has resulted from our earlier assumptions. Unfortunately, the lack of a common information exchange about such activities can result in misleading conclusions.

It almost seems that the security blogs are becoming as bad as some in the technical press. Everyone is eager for that big scoop and at times it looks like there is little to no fact checking on the subject. In this case a simple check with others investigating the IP of the suspected CNC would have prevented the original post claiming a link and probably prevented more than a few articles from being published by other media outlets.  We are sure that this was not intentional on the part of FireEye and do agree with them that more information should be shared between security teams, but we also know this is unlikely to happen as doing that would take away the chance of being the first to find the next big thing in the malware world.

Discuss this in our Forum

Read 4591 times Last modified on Friday, 24 August 2012 15:21

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.