We are confident the Flame group shared source code with Stuxnet.
Roel Schouwenberg, senior researcher, Kaspersky Lab
Flame, which predates Stuxnet, was likely removed once Stuxnet reached a certain level of maturity around 2010, the researchers said. The module, central to Flame’s propagation, helped in attacks against oil facilities in Iran and used by Stuxnet to attack a uranium enrichment facility in the same country.
“We are confident the Flame group shared source code with Stuxnet,” said Roel Schouwenberg, senior researcher for Kaspersky’s Global Research and Analysis Team. “This is huge because previously we’ve only seen sharing of exploit code, not source code. It’s not quite the same.”
Schouwenberg said exploit code could have been bought or shared from a third party, but source code is essentially a software engineer’s intellectual property, and is not usually shared.
Podcast: Demystifying nation-state attacks and their impact
Jim Lewis of CSIS and Stephen Cobb of ESET join the SearchSecurity team in a discussion about the impact that nation-state attacks have on the security industry and the way businesses secure their systems. Stuxnet, Flame and Duqu are being linked to state-sponsored cyber activities, but experts say the real threat may come from cybercriminals who follow no rules of engagement and are difficult to control. Listen to the prodcast on the impact of cyberwarfare and cyberespionage
“With these types of operations, source code is the ultimate possession,” Schouwenberg said. “This time it was shared. Flame and Stuxnet (developers) worked together.”
The Flame module, found inside one of Stuxnet’s resources, also contained the autorun functionality reused by Stuxnet in later variants to enable infected USB’s to execute the malware, as well as the Flame file named atmpsvcn.ocx. Kaspersky researchers also discovered a new privilege escalation exploit that targeted a since-patched Windows zero-day vulnerability (MS09-025). The attack was a zero-day at the time since its creation date was February 2009, and MS09-025 was released in May 2009.
“We firmly believe the Flame platform predates Stuxnet and was a kick-starter of sorts to get Stuxnet going,” Schouwenberg said. “After Stuxnet.a, it was removed and Flame and Stuxnet went their separate ways in 2010.”
Flame was reported two weeks ago after infections were detected on fewer than 500 machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt. It likely spreads via targeted spear phishing attacks, or infected USB sticks. The toolkit includes replication capabilities, and is able to log keystrokes, sniff network traffic, take screenshots, record audio and steal data. The toolkit is 20MB, one of the biggest pieces of malware discovered. Reports also surfaced last week that Flame attackers were using a new MD5 collision attack to use a forged Microsoft digital certificate to sign the malware as legitimate.
“This was not an ordinary MD5 collision attack; there has been some research published about collision attacks, but this was a completely new collision attack,” Schouwenberg said. “If it truly dates to 2009, this attack was done well before any published documentation on this matter. There are world-class crypto experts involved. This is top-quality attack.”
Researchers are still dissecting Flame and are unsure if there are further similar bits of code between it and Stuxnet. To date, the similarities include the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming, a Kaspersky release said.
“The fact that they shared common exploits didn’t tell us whether they worked together,” Schouwenberg said. “The fact that they shared source code with Stuxnet, proves there is a link and that they cooperated at least once. It confirms our beliefs that Flame and Stuxnet were parallel projects commissioned by the same entities.”