If you buy something using links in our stories, we may earn a commission. Learn more.
The sophisticated espionage toolkit known as Flame is directly tied to the Stuxnet superworm that attacked Iran's centrifuges in 2009 and 2010, according to researchers who recently found that the main module in Flame contains code that is nearly identical to a module that was used in an early version of Stuxnet.
Researchers at Russia-based Kaspersky Lab discovered that a part of the module that allows Flame to spread via USB sticks using the autorun function on a Windows machine contains the same code that was used in a version of Stuxnet that was unleashed on computers in Iran in 2009, reportedly in a joint operation between the United States and Israel. The module, which was known as Resource 207 in Stuxnet, was removed from subsequent versions of Stuxnet, but it served as a platform for what would later develop into the full-fledged Flame malware that is known today.
The researchers believe the attackers may have used the Flame module to kickstart their Stuxnet project before taking both pieces of malware into different and separate directions. They've detailed the similarities between the modules in Flame and Stuxnet in a blog post.
"This could be in my opinion, together with the MD5 collision attack, maybe the biggest discoveries to date about Flame," said Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab. The MD5 collision attack refers to a discovery last week that Flame used a previously unknown variant of a collision attack in its efforts to sign a malicious file with a fraudulent digital certificate to trick victim machines into thinking the file was legitimate and trusted code from Microsoft.
In the version of the Flame module that was found in Stuxnet, the researchers also discovered a privilege escalation exploit that had previously been overlooked when Stuxnet was carefully examined after its discovery in 2010.
The exploit was a zero-day exploit when the attackers first created it in February 2009. But Microsoft patched the Windows kernel vulnerability it exploited four months later -- on June 9, 2009 -- before the attackers are believed to have launched Stuxnet for the first time on June 22, 2009.
The exploit would have allowed the attackers to gain elevated privileges on a machine, if the user account did not have administrative privileges, in order to run their malicious code on it. But both this exploit and the autorun exploit were later removed in subsequent versions of Stuxnet that were released in 2010. The autorun exploit was replaced with the .lnk exploit that made Stuxnet famous, and the now-spoiled privilege escalation exploit was replaced with two other zero-day privilege exploits that Microsoft learned about, and patched, only in 2010 after Stuxnet was exposed.
The module containing these exploits was only discovered in Stuxnet now because it only appeared in the 2009 version of Stuxnet, and most researchers until now have focused their attention only on the 2010 version of Stuxnet. The 2010 version spread more widely than the 2009 version and was considered more interesting because it contained four zero-day exploits that the attackers had added to it.
Flame was discovered by Kaspersky Lab in early May. The malware, which had been targeting systems primarily in the Middle East, had been active for at least two years. Researchers uncovered numerous plug-in modules for the malware that can be used for stealing documents, reading written communications on a computer or recording conversations that occur over Skype or in the vicinity of a targeted computer.
It was previously reported that Flame had the ability to spread by infecting USB sticks using the autorun and .lnk vulnerabilities that Stuxnet used. It also used the same print spooler vulnerability that Stuxnet used to spread to computers on a local network. But it wasn't clear if the teams that created Flame and Stuxnet had simply had access to a common repository of exploits or if they had in fact worked in cooperation on their codes.
The fact that the module in the early Stuxnet version is nearly identical to the code in Flame suggests that the separate teams that created Flame and Stuxnet shared source code for the autorun exploit, rather than just binary code, implying that they may have worked more closely than previously believed.
"It obviously shows that these teams were somewhat tight, so to say. They were actually comfortable giving the source code to someone else," Schouwenberg said.
Researchers believed until now that Flame was likely part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu, but that Flame was developed separately from Stuxnet and was used for different purposes. Now researchers believe that Stuxnet's creators used part of Flame in the early stage of developing Stuxnet - perhaps because they were under pressure to get Stuxnet launched - but then developed Stuxnet separately from Flame thereafter.
They say that Flame was likely created as early as the summer of 2008 and was already a mature platform by the time the coders behind Stuxnet created their malware sometime between January and June 2009. Once the Flame module was removed from Stuxnet, both pieces of malware likely continued to be developed separately by the different teams.
"There was some initial cooperation clearly, and then this cooperation stopped," Schouwenberg said.
The team that worked on Stuxnet built its malware into a cyberweapon for conducting sabotage, while the Flame team took the module that appeared in Stuxnet and built that out to become the massive espionage tool that Kaspersky discovered last month.
The researchers say that more discoveries are yet to be made, as they continue to find more files that may be new modules for Flame.
"Right now in my inbox I have 216 files that all seem to be Flame plug-ins," said Schouwenberg. "I'm sure that a lot of them are probably duplicates. But nevertheless, there is a lot of new stuff that we need to analyze."
