Positive links between the newly-discovered Flame malware and Stuxnet have been uncovered – arguing that the same author might have been responsible for at least part of both cyber weapon programs.
At the time of Flame’s discovery in May, there was no strong evidence of Flame being developed by the same team that delivered Stuxnet and Duqu. The approach to the development of Flame and Duqu/Stuxnet was different as well, which led to experts concluding the projects were created by separate teams.
However, in-depth research conducted by Kaspersky Lab experts, reveals that these teams in fact co-operated at least once during the early stages of development.
According to a statement from Kaspersky Lab, the company has discovered that a module from the early 2009-version of Stuxnet, known as “Resource 207,” was actually a Flame plugin.
This means that when the Stuxnet worm was created in the beginning of 2009, the Flame platform already existed and that, in 2009, the source code of at least one module of Flame was used in Stuxnet, it concludes.
The Resource 207 module was used to spread the infection via USB drives. The code of the USB drive infection mechanism is identical in Flame and Stuxnet.
The Flame module in Stuxnet also exploited a vulnerability which was unknown at the time and which enabled escalation of privileges, presumably MS09-025, Kaspersky Lab analysts believe.
They argue that, subsequently, the Flame plugin module was removed from Stuxnet in 2010 and replaced by several different modules that utilised new vulnerabilities.
It is believes that, starting from 2010, the two development teams worked independently, with the only suspected cooperation taking place in terms of exchanging the know-how about the new “zero-day” vulnerabilities.
Alexander Gostev, chief security expert at Kaspersky Lab, comments: “Despite the newly discovered facts, we are confident that Flame and Tilded are completely different platforms, used to develop multiple cyber-weapons. They each have different architectures with their own unique tricks that were used to infect systems and execute primary tasks. The projects were indeed separate and independent from each other.
“However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups co-operated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected.”