From this, FireEye concluded that “this shift in its CnC confirms that the guys behind Gauss and Flame/SkyWiper are the same.” FireEye was correct in its observations, but incorrect in the conclusions based on those observations. The bot masters had indeed combined the C&C servers; but the bot masters were not the bad guys – they were, and are, Kaspersky.
The Gauss C&C servers had become dormant. Kaspersky had already noticed similarities between Flame and Gauss. It wanted to study both – so it redirected traffic from both set of bots to its own servers for further study and analysis. Such servers are known as sinkholes. So, in fact, FireEye’s conclusion may still be accurate, but not for the stated reason.
“But minutes after [DarkReading’s] reports of the [FireEye’s] findings went live,” reports Dark Reading, “researchers from Kaspersky Lab lit up Twitter with posts pointing out what they say was an error in FireEye's findings: The activity FireEye was seeing was from Kaspersky's sinkhole to study Gauss and Flame. Gauss had not come back to life", they said. Kaspersky chief security expert Alexander Gostev explained things further: “During the process of initiating the investigation into Gauss C2s and creating sinkholes we notified trusted members of the security and anti-malware community about the sinkhole IP and operation so that they were aware of any activity.”
But Kaspersky did not apparently consider FireEye to be a trusted member of the security and anti-malware community because, added Gostev, “With some easy Googling and checking on WhoIs, researchers [presumably including FireEye] could have verified all of this.”
While embarrassing for FireEye, the company shouldn’t feel too bad – it’s in good company over sinkholes. Following discovery of the Flashback trojan back in April this year, Dr Web (another Russian security firm) set up three sinkhole servers to monitor Flashback bot communications. At the time, Dr Web CEO Boris Sharov said it had given Apple all the information it had (something that Kaspersky doesn’t seem to have done with FireEye). Apple’s response, however, was to contact Russian Web registrar Reggi.ru and ask for one of the servers to be shut down since it was engaged in malicious activity – which of course it wasn’t. But like FireEye, Apple had spotted the sinkhole traffic and jumped to the wrong conclusion.