Flame, Stuxnet Creators Collaborated, Researchers Say

By Brian Prince  |  Posted 2012-06-11

Researchers at Kaspersky Lab have found what they believe is a direct link between Flame and the Stuxnet malware that was discovered targeting uranium centrifuges at Iran's nuclear facilities.

According to Kaspersky, the main module in Flame contains code similar to what was found in an early iteration of Stuxnet. The discovery is significant, as many have questioned whether or not there was a connection between Stuxnet, Duqu€”also considered linked to Stuxnet€”and Flame.

As it turns out, the first version of Stuxnet, referred to by Kaspersky as Stuxnet.A, appeared in June 2009 and differed greatly from later variants. The 2009 version, for example, did not use the MS10-046 LNK file vulnerability to propagate, but used a special trick with the autorun.inf file to infect USB drives. The 2009 version also only had one driver file, whereas the 2010 versions had two.

The most significant change, however, involves something called €œresource 207," a 520,192-bit DLL file that was dropped altogether in 2010 when its code was merged into other modules.

"Resource 207€™s main functionality was to ensure Stuxnet propagation to removable USB drives via autorun.inf, as well as to exploit a then-unknown vulnerability in win32k.sys to escalate privileges in the system at [the] stage of infection from USB drive," explained Alexander Gostev, head of the Global Research and Analysis team at Kaspersky.

"Spreading via autorun.inf is another trick that the Stuxnet 2009 version and the current variants of Flame have in common," Gostev noted.

Inside Resource 207 is a portable executable (PE) file that is actually a Flame plug-in, or more precisely, a proto-Flame module that has "obviously a lot in common" with the current version of its main module, mssecmgr.ocx, Gostev added.

This shared code, said Kaspersky Senior Virus Analyst Roel Schouwenberg, proves that there is a direct link between the pieces of malware and that there was early collaboration between their creators.

"I think when it comes to source code, it€™s much less likely that you share your source code without knowing why. €¦you don't just share that with anyone," he said.

Recently, a report in The New York Times featured several sources stating President Barack Obama ordered the use of cyber-attacks against Iran. The efforts, built on plans created during the administration of former President George W. Bush, were aimed at derailing Iran's nuclear program.

"The implications for war are interesting for two reasons: First, we must assume that multiple entities [possibly including sovereigns] are engaged in the same efforts; and second, technology is transferrable, as we've seen here," noted Francis Cianfroca, chief executive officer at Bayshore Networks. "That means that as attacks become known and publicized, the techniques become easily exploitable by others. In a key sense, using cyber-weapons proliferates them. It's quite plausible to think in terms of an arms race taking place in the subterranean cyber-world."

During the analysis of Duqu, which was first detected in 2011, researchers uncovered a number of similarities with Stuxnet and ultimately that they were created using the same attack platform, known as Tilded. Despite the newly discovered facts, however, researchers remain confident that Flame and Tilded are completely different platforms, and that the Stuxnet and Flame teams worked independently from 2010 on.

"They each have different architectures with their own unique tricks that were used to infect systems and execute primary tasks," according to Gostev. "The projects were indeed separate and independent from each other. However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected."

Rocket Fuel