Shared code indicates Flame, Stuxnet creators worked together
Researchers at Kaspersky Lab say code is shared in the two threats and that there was an exploit in Stuxnet that was previously unknown.
A chunk of code used in both Stuxnet and Flame shows that the developers of the two pieces of malware shared their work, researchers at Kaspersky Lab said today.
There were two independent developer teams, with Flame development preceding Stuxnet and each team developing its own code platform since 2007-2008 at the latest, the researchers said. Both projects were state-sponsored, and Stuxnet was specifically designed to sabotage Iran's nuclear program, experts believe.
In addition, a previously undiscovered elevation-of-privilege Windows exploit is in Stuxnet.A, an early variant of the malware, Roel Schouwenberg, senior researcher at Kaspersky Lab, said in a Web conference with reporters.
"We have a new old Zero-Day," he said, referring to an attack that exploits a previously unknown and unpatched vulnerability. "It was a Zero-Day at the time of creation and most likely at the time of deployment." That brings to five the number of Zero-Day exploits Stuxnet used. The exploit, created in February 2009, is "strikingly similar" to one that was patched by Microsoft in June 2009, researchers said.
Stuxnet.A, which dates to about June 2009, contains a module known as "Resource 207, which is an encrypted dynamic-link library file that has an executable file that Kaspersky researchers say shares code with Flame. Resource 207 was not in Stuxnet.B, which came out in 2010. The primary functionality of the code in Stuxnet is to distribute the infection from one machine to another via removable USB drives and exploit the vulnerability in Windows kernel to obtain escalation of privileges within the system, according to a Kaspersky news release. The code responsible for distributing malware via USB drives is completely identical to the one used in Flame, the researchers said. They both use the Autorun function in Windows.
Initially, Kaspersky researchers speculated that the projects were parallel but were hesitant to say they were developed or commissioned by the same party. Now a more definite link has been established and a timeline is more clear.
"We firmly believe the Flame platform predates the Stuxnet platform. It looks like the Flame platform was a kick-starter of sorts to get the Stuxnet project going," Schouwenberg said. "The operations went separate ways, maybe because Stuxnet code was mature enough to be deployed in the wild. Now we are 100 percent sure that the Stuxnet and Flame groups worked together."
Still, Alexander Gostev, chief security expert at Kaspersky Labs, was careful to highlight the distinctions between Flame and Stuxnet, whose architecture is called the "Tilded platform." "Despite the newly discovered facts, we are confident that Flame and Tilded are completely different platforms, used to develop multiple cyber-weapons," he said in the news release. "They each have different architectures with their own unique tricks that were used to infect systems and execute primary tasks. The projects were indeed separate and independent from each other. However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected."
Even though Stuxnet targeted industrial facilities, it also infected regular PCs and as a result was discovered in June 2010, about a year after the earliest known version was believed to be created. In September 2011 came Duqu, which has identical code to Stuxnet but which appeared designed for cyber espionage instead of sabotage. Flame was discovered last month.
Like Stuxnet, Flame has turned out to be complex. Its creators used domain names registered with fake namesto communicate with infected computers in the Middle East for at least four years. And Flame was able to spread to new networks by using a spoofed Microsoft digital certificate, a technique used by Stuxnet, using a sophisticated cryptographic attack method. After Flame was exposed, its creators initiated a self-destruct program in an attempt to make the malware disappear.
In an article earlier this month, New York Times reporter David Sanger confirmed long-held suspicions that the U.S. was behind Stuxnet and Flame. Sanger, citing unnamed U.S. government sources, wrote that Stuxnet was developed by the U.S., possibly with help from Israel, as a way to preempt a military strike against Iran over its nuclear program. Israel has denied involvement in both Stuxnet and Flame, while the U.S. has not outright distanced itself from either.
Here is a summary from Kaspersky Lab of its latest findings:
Kaspersky discusses the details of its discoveries in a blog post today.
- By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence (we currently date its creation to no later than summer 2008) and already had modular structure.
- The Stuxnet code of 2009 used a module built on the Flame platform, probably created specifically to operate as part of Stuxnet.
- The module was removed from Stuxnet in 2010 due to the addition of a new method of propagation (vulnerability MS10-046) instead of the "old" autorun.inf.
- The Flame module in Stuxnet exploited a vulnerability which was unknown at the time, a true Zero-Day. This enabled an escalation of privileges, presumably exploiting MS09-025.
- After 2009, the evolution of the Flame platform continued independently from Stuxnet.
Updated 9:30 a.m. PT with more details and background.