[ISN] Gauss-pursuing researcher trips over Kaspersky-operated sinkhole

From: InfoSec News <alerts_at_private>
Date: Fri, 24 Aug 2012 08:08:19 -0500 (CDT)
http://arstechnica.com/security/2012/08/gauss-espionage-malware-phones-home-to-same-servers-as-iran-targeting-flame/

By Dan Goodin
Ars Technica
Aug 23, 2012

Because of incorrect research contained in the original report, this 
article previously misidentified a command and control server that was 
being accessed by computers infected by the Gauss espionage malware. 
Contrary to that report, the server is operated by researchers with 
antivirus provider Kaspersky Lab. Such "sinkholes" are used disrupt 
computer botnets by preventing infected machines from reporting to 
malicious servers under the control of the malware operator.

Shortly after this article was published, Kaspersky Chief Security 
Expert Alexander Gostev issued the following statement:

     After discovering Gauss we started the process of working with
     several organizations to investigate the C2 servers with
     sinkholes. Given Flame's connection with Gauss, the sinkhole
     process was being organized to monitor both the Flame and Gauss’
     C2 infrastructures. It’s important to note that the Gauss C2
     infrastructure is completely different than Flame's. The Gauss C2s
     were shut down in July by its operators and the servers have been
     in a dormant state by the operators since then. However, we wanted
     to monitor any activity on both C2 infrastructures.

     During the process of initiating the investigation into Gauss C2s
     and creating sinkholes we notified trusted members of the security
     and anti-malware community about the sinkhole IP and operation so
     that they were aware of any activity. FireEye's post about the
     Gauss C2 samples connecting to the same servers as Flame are
     actually our sinkholes they're looking at.

     With some easy Googling and checking on WhoIs, researchers could
     have verified all of this.

     Since the investigation and sinkhole operation are still in
     progress we do not have any more information to provide at this
     time.

Late on Thursday afternoon, FireEye, the security firm that published 
the findings, published a retraction.

[...]
Received on Fri Aug 24 2012 - 06:08:19 PDT

This archive was generated by hypermail 2.2.0 : Fri Aug 24 2012 - 06:09:26 PDT