Researchers from Kaspersky Lab today shared new findings that uncover the first true link between the two targeted malware families -- shared source code, indicating that the efforts were intertwined. "We have found a conclusive link between Stuxnet and Flame," says Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab. This conclusion represents an about-face for Kaspersky, which when it first revealed the discovery of Flame two weeks ago had believed the two malware families were separate, parallel projects with no shared code.
Flame appears to have been used as a precursor cyberespionage attack to Stuxnet, according to the new research, as it was a mature technology in 2009. "We firmly believe Flame predates the Stuxnet platform. It looks like Flame was a kick-starter of sorts to get the Stuxnet project going," Schouwenberg said in an online press briefing today.
The newly found link between the Flame cyberespionage attack code and the Stuxnet code that was aimed at disarming Iran's nuclear operations is the so-called Resource 207 piece of code, which Kaspersky found in Stuxnet version A (Stuxnet.a) and which contains a full Flame module. "Inside Resource 207 you can find a Flame module -- obviously, this is a huge discovery," Schouwenberg says.
Also tucked inside Resource 207 -- basically code that helped to spread Stuxnet via USB drives -- was an exploit that at the time of its creation was using a zero-day bug against Windows. That makes five zero-day exploits used in Stuxnet, according to Kaspersky.
The "new" or "fifth" zero-day exploit wages a user-privilege escalation attack. "So we have a new, old zero-day," Schouwenberg says. Kaspersky alerted Microsoft about the exploit, which was created in February 2009 and traced to a bug that Microsoft patched in May 2009, MS09-025.
The antivirus firm released a side-by-side comparison of Stuxnet.a, Flame, and the Flame plug-in code that shows nearly identical source code, in its blog post today. "The code is extremely similar," Schouwenberg says. "So the Flame group shared the source code with the Stuxnet group," which indicates a cooperative effort in both malware development projects, rather than parallel efforts, he says.
Liam O Murchu, research manager for Symantec Security Response, which refers to Flame as Flamer, confirmed that Stuxnet and Flame share some of the same source code. "Due to Flamer's disjointed code and its complexity, we cannot confirm whether just one group was behind Flamer. We will be continuing to share updates on Flamer in the near future, as well as in the months ahead," O Murchu says.
[ Easy-to-crack encryption likely helped keep Flame alive, as well as its resemblance to conventional software. See How Flame Hid In Plain Sight For Years. ]
Gunter Ollmann, vice president of research at Damballa, says the connection between Flame and Stuxnet is not surprising: Researchers have seen multiple Flame toolkits for reconnaissance, while Stuxnet was written for a specific attack. He says Flame is a hacking toolset augmented with modules for targets that evolves over time. Different kits may have come from different teams of developers at different times, he says.
Interestingly, Kaspersky had picked up a sample of Stuxnet.a back in October 2010, but because it looked nothing like the widespread Stuxnet.b that had been under scrutiny since its discovery, the researchers determined it wasn't really Stuxnet and renamed the sample "Tocy." When researchers recently dug back through previous logs searching for signs of Flame, they rediscovered Tocy and noticed its strong resemblance to Flame. "That prompted us to look at the first variant of Stuxnet again," which had not been studied as heavily as Stuxnet.b, Schouwenberg says.
They realized Tocy had originally been classified by their automated malware analysis systems as Stuxnet. Turns out the researchers initially had buried some important information that tied Flame to Stuxnet.
Marcus Chung, COO at Malwarebytes, says this reinforces the theory that there are no accidents when it comes to malware. "For us, it tells us you have to carefully take a look" at samples, Chung says. "What does this mean for us security vendors? We need to make sure we do our job to detect these threats. It's a wake-up call: We need to make sure we look at these things and keep [these attacks] in the backs of our minds."
The Flame module was removed from Stuxnet in 2010, Kaspersky says, and a different propagation method was incorporated. "After 2009, the evolution of the Flame platform continued independently from Stuxnet," says Alexander Gostev, head of Kaspersky's global research and analysis team. There were two independent development teams, one for Flame and for Tilded (Stuxnet and Duqu). "Each of these teams has been developing its own platform since 2007-2008 at the latest," he said in a post today.
Meanwhile, the state-run Iranian FARS news agency reported over the weekend that Iran has traced the targeted attack against its oil ministry to the U.S., and says the malware was used to steal and destroy data.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.