Kaspersky says that while Stuxnet/Duqu and Flame appear to have been developed by different teams, those teams collaborated at some point in the past.
Published Monday, 11 June 2012
By Mark Sutton
Kaspersky Lab says that it has uncovered evidence that the Flame and Duqu/Stuxnet cyber attacks are connected.
The security company says that the two different attacks shared a module which was used to spread malware infection via USB drives.
It had initially been thought that the Flame and Duqu/Stuxnet had been created by different hackers, due to different approaches in development, and lack of any evidence linking the two. Researchers now believe that while different groups created each attack, they collaborated together at some point in the past.
A statement from Kaspersky said: "The module, identified as ‘Resource 207' was found in an early-2009 version of Stuxnet, but it is actually a Flame plugin. This means that when the Stuxnet worm was created in the beginning of 2009, the Flame platform already existed, and that in 2009, the source code of at least one module of Flame was used in Stuxnet.
The Flame module in Stuxnet also exploited a vulnerability which was unknown at the time and which enabled escalation of privileges, presumably MS09-025.
Subsequently, the Flame plugin module was removed from Stuxnet in 2010 and replaced by several different modules that utilized new vulnerabilities.
Starting from 2010, the two development teams worked independently, with the only suspected cooperation taking place in terms of exchanging the know-how about the new "zero-day" vulnerabilities.
The earliest known version of Stuxnet, supposedly created in June 2009, contains a special module known as ‘Resource 207'. In the subsequent 2010 version of Stuxnet this module was completely removed. The ‘Resource 207' module is an encrypted DLL file and it contains an executable file that's the size of 351,768 bytes with the name ‘atmpsvcn.ocx'. This particular file, as it is now revealed by Kaspersky Lab's investigation, has a lot in common with the code used in Flame. The list of striking resemblances includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming.
More than that, most sections of code appear to be identical or similar in the respective Stuxnet and Flame modules, which leads to the conclusion that the exchange between Flame and the Duqu/Stuxnet teams was done in a form of source code (i.e. not in binary form). The primary functionality of the Stuxnet ‘Resource 207' module was distributing the infection from one machine to another, using the removable USB drives and exploiting the vulnerability in Windows kernel to obtain escalation of privileges within the system. The code which is responsible for distribution of malware using USB drives is completely identical to the one used in Flame.
Alexander Gostev, chief security expert, Kaspersky Lab, commented: "Despite the newly discovered facts, we are confident that Flame and Tilded are completely different platforms, used to develop multiple cyber-weapons. They each have different architectures with their own unique tricks that were used to infect systems and execute primary tasks. The projects were indeed separate and independent from each other. However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected."