11:28 AM
Connect Directly

Flame Malware Code Traced To Stuxnet

Researchers find a link between the two different pieces of malware, suggesting that the U.S. government may be behind both.

Did the U.S. government commission the recently discovered Flame malware? According to new research, the developers of the Stuxnet and Flame malware families crossed paths--swapping source code at least once--which suggests that the U.S. government didn't just commission Stuxnet, but Flame as well.

"In 2009, part of the code from the Flame platform was used in Stuxnet," said Alex Gostev, the chief malware researcher at Kaspersky Lab, Monday in a blog post. "We believe that source code was used, rather than complete binary modules," he said, which suggests some degree of collaboration or crossover.

But based on Kaspersky's ongoing teardowns of the Flame malware discovered in late May, he believes that "since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities."

According to published news reports, senior White House officials have said that the the United States led Stuxnet development, working with Israel. Hence if Stuxnet and Flame are related, it suggests that the United States is also behind the complex Flame malware.

[ Learn more about the links; read Flame Malware's Ties To Stuxnet, Duqu: Details Emerge. ]

That Stuxnet credit-taking--read by some as election-year boasting and by others as a direct warning to Iran--has led to charges that government officials mishandled classified information, although many security experts said all signs clearly pointed to the two governments having been behind Stuxnet and the related malware Duqu. Now add Flame to that equation.

But Gostev said there appear to have been different development groups behind the two malware families--each working independently since 2007 or 2008--which he refers to as "Team F" (for Flame) and "Team T" (for Tilded, which is the platform on which Stuxnet and Duqu were built).

"Flame and Tilded are completely different projects based on different architectures and each with their own distinct characteristics," he said. "For instance, Flame never uses system drivers, while Stuxnet and Duqu's main method of loading modules for execution is via a kernel driver."

According to Kaspersky Lab, Stuxnet appears to have been created in the first half of 2009, while Flame had been created by the summer of 2008. "The Stuxnet code of 2009 used a module built on the Flame platform, probably created specifically to operate as part of Stuxnet," said Gostev. That module, which he suspects exploited a then-unknown--a.k.a. zero-day--Windows kernel vulnerability later patched by Microsoft, was apparently removed in 2010. Its removal was likely prompted by Stuxnet's developers having created a new way to allow their malware to propagate, by exploiting a then-unknown Windows shell vulnerability, later patched by Microsoft.

While the two groups of malware developers appear to have shared code, "after 2009, the evolution of the Flame platform continued independently from Stuxnet," said Gostev.

Flame includes numerous attack capabilities, including the ability to spread via Windows Update by using a spoofed digital certificate. As a result, the malware can automatically install itself on targeted computers, providing another computer on the same network had first been compromised.

But Microsoft has been working quickly to patch the certificate bug exploited by Flame. Notably, Microsoft released an update Friday for Windows Server Update Services (WSUS) 3.0 Service Pack 2 (SP2), which according to the release notes "strengthens the WSUS communication channels ... [by] trusting only files that are issued by the Microsoft Update certification authority."

Microsoft is also set to issue an update Tuesday--as part of its monthly Patch Tuesday--that will further update all supported versions of Windows to block Flame. Security experts are recommending that all users install the update as soon as possible, since attackers will likely attempt to use the certificate vulnerability before it becomes widely patched. "Apply the certificate patch released a week ago today if you haven't done so already," said SANS Institute chief research officer Johannes B. Ullrich in a blog post. "This way, no patch signed by the bad certificate should be accepted tomorrow. Patch Tuesday is one of the best dates to launch such an attack, as you do expect patches anyway."

When installing the update, however, do so preferably only if using a trusted environment. "Avoid patches while 'on the road.' Apply them in your home [or] work network whenever possible," said Ullrich. "This doesn't eliminate the chance of a 'man in the middle' (MitM) attack, but it reduces the likelihood."

For users who must update while on the road, perhaps because they travel frequently, always use a VPN connection back to the corporate network, said Ullrich, since hotel networks can be malware and attack hotbeds. "Hotel networks and public hotspots frequently use badly configured HTTP proxies that can be compromised and many users expect bad SSL certificates--because of ongoing MitM attacks," he said.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/18/2012 | 2:17:07 PM
re: Flame Malware Code Traced To Stuxnet
Malware has seen a drastic evolution in its comprehensiveness over time. Stuxnet worked more like a targeted attack on Iran's nuclear program, but Flame offers a new kind of approach. Flame operates more like throwing the kitchen sink at the problem above anything else. What I think is concerning is just how long the malware remained undetected to antivirus. In fact, Bit9 was the only security solution to announce that it stopped the malware continuously before antivirus even knew what it was.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

Published: 2014-10-24 in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) and (2), which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.