http://arstechnica.com/security/2012/08/gauss-espionage-malware-phones-home-to-same-servers-as-iran-targeting-flame/ By Dan Goodin Ars Technica Aug 23, 2012 Because of incorrect research contained in the original report, this article previously misidentified a command and control server that was being accessed by computers infected by the Gauss espionage malware. Contrary to that report, the server is operated by researchers with antivirus provider Kaspersky Lab. Such "sinkholes" are used disrupt computer botnets by preventing infected machines from reporting to malicious servers under the control of the malware operator. Shortly after this article was published, Kaspersky Chief Security Expert Alexander Gostev issued the following statement: After discovering Gauss we started the process of working with several organizations to investigate the C2 servers with sinkholes. Given Flame's connection with Gauss, the sinkhole process was being organized to monitor both the Flame and Gauss’ C2 infrastructures. It’s important to note that the Gauss C2 infrastructure is completely different than Flame's. The Gauss C2s were shut down in July by its operators and the servers have been in a dormant state by the operators since then. However, we wanted to monitor any activity on both C2 infrastructures. During the process of initiating the investigation into Gauss C2s and creating sinkholes we notified trusted members of the security and anti-malware community about the sinkhole IP and operation so that they were aware of any activity. FireEye's post about the Gauss C2 samples connecting to the same servers as Flame are actually our sinkholes they're looking at. With some easy Googling and checking on WhoIs, researchers could have verified all of this. Since the investigation and sinkhole operation are still in progress we do not have any more information to provide at this time. Late on Thursday afternoon, FireEye, the security firm that published the findings, published a retraction. [...]Received on Fri Aug 24 2012 - 06:08:19 PDT
This archive was generated by hypermail 2.2.0 : Fri Aug 24 2012 - 06:09:26 PDT