Countries where MiniFlame and Flame have been found. (Kaspersky Lab)

Researchers at Kaspersky Lab have been patiently picking apart the ingenious malware packages that romped through computer networks in the Middle East, sucking up data and destroying Iranian nuclear centrifuges and it seems Kaspersky finds a new addition to the allegedly U.S. and Israeli-sponsored family of cyber-weapons every other month. Monday they announced the discovery of the Flame malware's baby cousin, MiniFlame.

Kaspersky's bug hunters found that MiniFlame's association with Flame and related infections was Transformers-like in nature:

In early July 2012, we discovered a smaller Flame module, which appeared to be able to work by itself. The module had many similarities with Flame, so we thought it might simply be an earlier version. In the months that followed, we not only studied the connection of this malware with Flame, but also came across examples of this module being used concurrently with Gauss and being controlled by the Gauss main module.

Researchers found that MiniFlame was something of a ninja assassin compared to the other programs. Whereas Flame, Duqu and Gauss had large missions to infiltrate multiple computers in countries like Iran, Syria and Lebanon, MiniFlame targeted just a few select victims in what Kaspersky calls "highly targeted attacks." Kaspersky reported that MiniFlame, while rare compared to the more well-known malware packages, was more likely to show up in a variety of countries, including a computer located at the Francois Rabelais University in Tours, France.

Wired also noted that Kaspersky determined that one machine in Lebanon is the lucky recipient of every nasty cyber weapon in the family:

[There] is one machine in Lebanon – what [senior Kaspersky researcher Roel] Schouwenberg calls "the mother of all infections" – which has Flame, Gauss, and miniFlame/SPE on it. "It is like everybody wanted to infect that specific victim in Lebanon for some reason," he says.

Kaspersky knows there are two more malware packages still in the wild, currently code-named only SP and IP. They may function much like the previously known malicious programs, churning through the guts of target computers for sensitive data to send home to their controllers before they execute the final trick in their arsenal, deleting themselves and vanishing from the infected system as if they'd never been there at all, like ghosts. Or ninjas.

Screengrab from a site defaced by Sizzling Soul.

Protests against anti-Muslim "film" Innocence of Muslims have been violent and continue in several countries, but they have not yet exploded into sustained military conflict. However, religiously motivated hackers are waging active war online. While DDoS (Directed Denial of Service) hits against large, well-known sites owned by financial instutions may have been sponsored by Iran, independent Muslim hackers appear to be targeting a slew of small websites with wickedly effective full-blown hacks and defacements.

A hacker calling himself Sizzling Soul and claiming membership in a hacker collective dubbed the Pakistan Cyber Army has taken down more than 80 sites in the name of the Prophet. Many of of those sites remain under his control and are displaying his message:

100 %
Attempting Bypass…
Code broken!
A message for Boobish People:
Dont Try To Insult Our PROPHET (P.B.U.H)
Why You People Always Try To Attack Our Religion?
You Made An Insulting Movie Of PROPHET(P.B.U.H)”
Damn
This Is Totally Insane,.
You Are Provoking The Anger Of PeaceFull Muslims!
Stop This
Otherwise You WOn’t Be Able To Stop Us
This Is Just A Warning For You….
If You Don’t Stop,Next Attack Will Destroy Yours Whole Cyber Space
If You Want Some Then Come And Get Some…

As HackRead notes, most of Sizzling Soul's victims are "small and local businesses, such as banks, chemical factories" as well as pages related to gaming and the auto industry.

Sizzling Soul has listed his hits on Pastebin. We could joke about the hacker choosing easy targets, but going after so many small establishments could add up to a minor but noticeable hit on multiple local economies.

Sizzling Soul isn't the only cyber attacker working this angle. A hacker with the handle Rude_Thunder has slammed over 100 sites and posted his own list on Pastebin, stating the web pages were "defaced for insulting the holy Prophet."

Since Google will not completely remove Innocence of Muslims from the web, we suspect you should just change your passwords now and hang on for more bumpy rides to come, Boobish People.

Stuxnet, the first shot across the bow. (Krebs On Security)

Cyber attackers who went after Chase and Bank of America with Directed Denial of Service (DDoS) attacks on the banks' websites may have been working for Iran.

A report from the Washington Post cites several officials who have made this claim, including Senator Joseph Lieberman, the chair of the Homeland Security and Governmental Affairs Committee.

The Post reports that in an interview with C-SPAN, Sen. Lieberman disputed the idea the attackers were independent hacktivists outraged by a controversial anti-Muslim film:

"I don’t believe these were just hackers who were skilled enough to cause disruption of the Web sites," said Lieberman in an interview taped for C-SPAN's "Newsmakers" program. "I think this was done by Iran and the Quds Force, which has its own developing cyberattack capability." The Quds Force is a special unit of Iran's Revolutionary Guard Corps, a branch of the military.

Lieberman said he believed the efforts were in response to "the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions."

The Post also reported that there have been similar attacks against American telecoms such as AT&T and Level 3.

What wasn't clear from Sen. Lieberman's remarks or the Post's report was whether the "Cyber fighters of Izz ad-din Al qassam," who claimed credit for the attacks and dubbed them "Operation Ababil" were opportunistic trolls or misdirection by Iranian cyber forces.

If officials and cyber-security experts quoted by the Post are correct, it is likely Iran intended the bank attacks as a response to U.S. actions such as the infiltration of the Stuxnet worm, which disrupted Iranian nuclear operations in 2010. Stuxnet targeted uranium enrichment centrifuges and caused them to spin wildly out of control.

The most recent Pastebin post from the Cyber fighters of Izz ad-din Al qassam claimed the attack on Chase's web properties was step two. They seemed to imply there were several more steps to go.

Izz ad-Din al-Qassam (Wikimedia)

The Cyber fighters of Izz ad-din Al qassam, a group of cyber-attackers who have targeted Bank of America and the New York Stock Exchange, allegedly struck J.P. Morgan Chase today. Fox Business reported on the site outage at Chase.com and consulted with Flashpoint Partners about the problems. Flashpoint told Fox that Chase's problems were probably due to a "sustained denial of service attack."

The religiously-motivated hackers, who claim they are responding to the anti-Muslim video, Innocence of Muslims, have published a new Pastebin page claiming credit for the Chase attack:

In the name of Allah the companionate the merciful

My soul is devoted to you Dear Prophet of Allah

"Operation Ababil" started over BoA :

http://pastebin.com/mCHia4W5
http://pastebin.com/wMma9zyG

In the second step we attacked the largest bank of the united states, the "chase" bank. These series of attacks will continue untill the Erasing of that nasty movie from the Internet.

The site "www.chase.com" is down and also Online banking at "chaseonline.chase.com" is being decided to be Offline !

Down with modern infidels.

### Cyber fighters of Izz ad-din Al qassam ###

"Operation Ababil" was also the name of a failed Pakistani military operation that occurred in April, 1984.

Pakistan planned the maneuver (sometimes spelled "Operation Ababeel") as an effort to capture a glacier in the long-disputed region of Kashmir. India learned of the plan and managed to seize the area two days before Pakistan pulled the trigger on the mission.

Are the Cyber fighters of Izz ad-din Al qassam hinting that they might be based in Pakistan? Not necessarily--the name of the operation could be a red herring.

The group's moniker may mean more than whatever they call their efforts against financial institutions; Izz ad-din Al qassam, according to Wikipedia, was the name of a Syrian-born "Muslim preacher who was a leader in the fight against British, French, and Zionist organizations in the Levant in the 1920s and 1930s."

Innocence of Muslims has been blocked in Pakistan and several other heavily Muslim countries but Google has refused to completely remove the film from the web.

What Flame did to Iranian computers. (Image: William Warby, Flickr)

The Cold War is over and Russia and America are getting along. So surely the Men in Black behind the United States' cyber weapons program based at Area 51 or wherever will not be too concerned that a Russian researcher cracked an encoded password associated with the now infamous, allegedly American-made Flame malware.

Symantec and Kaspersky recently teamed to pick apart Flame's command and control systems, discovering at least three previously unknown infectious scripts in the process. The researchers also discovered a great deal about how the weapons were assembled and launched against enemy targets, but were left with a hashed passcode they couldn't break. They put out a call for help but didn't need the assistance of anyone outside either outfit, after all:

Kaspersky analyst Dmitry Bestuzhev cracked the hash for the password Sept. 17 just hours after Symantec put out a public request for help getting into the control panel for Flame, which infected thousands of computers in the Mideast. [...]

The hash - 27934e96d90d06818674b98bec7230fa - was resolved to the plain text password 900gage!@# by Bestuzhev.

So now the whole world knows the password that once protected the servers behind Flame, a complex and sophisticated cyber weapon that was a major blow to Iran's nuclear program.

Which is a little scary, because if someone can crack the password that once protected such a covert weapon created by a nation state, the average Internet user's method of password protecting their GMail with a pet's name plus grandma's birthday doesn't seem too safe anymore.

Screengrab

Bank of America customers have had a hard time accessing the bank's website today--and a claim posted by a Muslim hacker group on Pastebin.com may have something to do with that. Reuters has reported that the "scope of the problem could not immediately be learned" but BoA customers across the country were having similar problems.

In a Pastebin post made sometime Tuesday, a group claiming to speak "In the name of Allah the companionate (sic) the merciful" wrote the following:

My soul is devoted to you Dear Prophet of Allah
Dear Muslim youths, Muslims Nations and are noblemen
When Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other hand when, Crucify infidels are terrified and they are no more supporting human rights. United States of America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only Islam.

All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary to stop spreading this movie. We will attack them for this insult with all we have.

All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as much as needed such that they say that they are sorry about that insult.

We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in type.

Down with modern infidels.
Allah is the Greatest. Allah is the Greatest.

The movie referred to in the message is likely the infamous Innocence of Muslims, a garish amateur propaganda piece that has been roiling Muslim communities around the world for more than a week now.

There aren't any reports yet of similar problems with the New York Stock Exchange's site or systems, but two out of four attempts to reach Bank of America's website were unsuccessful as of 4 p.m. Eastern Time on Tuesday.

Attack workflow for Flame controllers (Symantec)

Kaspersky Lab and Symantec have teamed up to peel apart the United States' cyber warfare efforts. So far, they have uncovered the command and control systems behind the sophisticated malware as well as three previously unknown chunks of malicious code possibly related to alleged American cyber superbugs Flame and Duqu.

Reuters reports that researchers from the security firms discovered how the malware was disseminated--through an outwardly innocent-seeming content management system (CMS) named Newsforyou:

It was designed to look like a common program for managing content on websites, which was likely done in a bid to disguise its real purpose from hosting providers or investigators so that the operation would not be compromised, Kaspersky said in its report.

Newsforyou handled four types of malicious software: Flame and programs code-named SP, SPE and IP, according to both firms. Neither firm has obtained samples of the other three pieces of malware.

According to Symantec, Newsforyou allowed attackers to "upload packages of code, to deliver to compromised computers, and to download packages containing stolen client data." Symantec writes that the mystery chunks of code were "likely unknown variants" on Flame but could have been "totally distinct malware."

More intriguing, researchers uncovered nicknames for a handful of programmers who worked on the malware over the course of the last six years or so:

The attackers were not thorough enough, however, as a file revealing the entire history of the server‘s setup was available. In addition, a limited set of encrypted records in the database revealed that compromised computers had been connecting from the Middle East. We were also able to recover the nicknames of four authors—D***, H*****, O******, and R***—who had worked on the code at various stages and on differing aspects of the project, which appear to have been written as far back as 2006.

Symantec and Kaspersky have an additional mystery for which they seek the public's help--this mysterious encoded password: 27934e96d90d06818674b98bec7230fa.

Researchers say they have attempted "brute-force" cracks of the hashed code, to no avail. If you're up for a juicy password cracking challenge that may also put you on a government watchlist, hit them up on Twitter.

This guy could also be a government agent. (Image Devdsp on Flickr

Humanity's fear of "war without end" has yet to be completely fulfilled in the analog world, but state-sponsored cyber warfare has been afoot for years and is only getting worse. That's one takeaway from cyber security expert Pete Warren's report in The Guardian on government-created malware.

Mr. Warren consulted a number of anonymous security experts with military ties to get a sense of how long major governments have been developing nefarious software packages like Flame, Duqu and Stuxnet. Some systems, writes Mr. Warren, "have been under development since at least 1996."  Moreover, the United States and its allies aren't the only nations with skin in the malware game:

"There are a lot of countries that now have these systems. Every Middle Eastern country and all the states now known as the 'Stans' [Pakistan and the former satellite states of the Soviet Union] have them", said another expert with close links to the UK intelligence agencies and who is actively engaged in combating the software.

An unnamed ex-military man in London went further, telling Mr. Warren that "Every nation now has an armory; whether well-stocked or not depends on their resources."

Like guerrilla soldiers adopting military tactics to cause destruction and mayhem, government-made software like the Flame worm has inspired copycats. The mid-August Shamoon attack, for example, targeted a Saudi-owned oil company and knocked up to 75 percent of that company's workstations offline. Shamoon resembled Flame, but a hacker group calling itself The Cutting Sword of Justice claimed credit for Shamoon. They say they are an "anti-oppression hacker group" and are "fed up of (sic) crimes and atrocities taking place in various countries around the world."

Ours is a brave new world, with lots of scary new creeping software in it.