Security researchers from antivirus vendor Kaspersky Labs have found evidence that the development teams behind the Flame and Stuxnet cyberespionage threats collaborated with each other.
The Kasperskyresearchers determined that Flame, which is believed to havebeen created in 2008, and a 2009-version of Stuxnet shared onecomponent that served the same purpose and had similar source code.
Back in October 2010, Kaspersky’s researchers analyzed a sample thathad been automatically classified as a Stuxnet variant by the company’sautomated systems. At the time, the researchers dismissed the detectionas an error because the sample’s code looked nothing like the code inStuxnet.
However, after Flame was discovered at the end of May, the Kasperskyresearchers searched their database for malware samples that might berelated to the new threat and found that the sample detected as Stuxnetin 2010 was actually a Flame module. The module uses an autorun.inftrick to infect computers via USB drives.
Upon further research, the Kaspersky analysts determined thatStuxnet.A, which was created in early 2009, uses the same autorun.inftrick to spread via USB drives. In fact, the source code responsiblefor this is almost identical to the one in the Flame module.
“It looks like the Flame platform was used to kick start the Stuxnetplatform,” said Roel Schouwenberg, a senior researcher with KasperskyLab’s global research and analysis team, during a conference call withthe press.
The Kaspersky researchers already knew that Stuxnet and Flame leveragedat least one of the same Windows vulnerabilities, but thiswasn’tconclusive proof that their developers collaborated. The exploit couldhave been created by a third-party that sold it to both teams,Schouwenberg said.
However, the new discovery suggests that the developers of the twomalware threats actually shared source code, which is intellectualproperty and wouldn’t normally be shared between unrelated teams. “Weare now 100-percent sure that the Flame and Stuxnet groups workedtogether,” Schouwenberg said.
The Kaspersky researchers discovered that the Flame module integratedinto Stuxnet.A exploited a Windows elevation of privilege (EoP)vulnerability that wasn’t known at the time of the malware’s creation.This would be the fifth zero-day (previously unknown) vulnerabilityexploited by Stuxnet, Schouwenberg said.
The researchers believe that this vulnerability was one that Microsoftpatched in June 2009, a few months after the creation of Stuxnet.A, butthey are not yet certain and are still investigating.
Later Stuxnet versions stopped using the Flame module entirely andbegan exploiting a separate vulnerability that relied on malformed LNK(shortcut) files to propagate via USB drives.
Interestingly, the exploit code from Stuxnet.A’s Flame-borrowed moduleis very similar to the exploit code for a different EoP vulnerabilitythat’s present in later Stuxnet versions. The researchers believe thatboth sections of code were written by the same programmer.
The theory put forward by the Kaspersky researchers is that Flame andStuxnet were created by two separate teams as part of two operationsfunded by the same nation state. Flame was probably used for espionageand Stuxnet used for sabotage, Schouwenberg said.
According to a recent New York Times report thatquotes anonymoussources from the Obama administration, Stuxnet was created by the U.S.and Israeli governments as part of a secret operation called Olympic Games with thegoal of crippling Iran’s ability to produce weapon-grade nuclear fuel.