Stuxnet And Flame Developers ‘Worked Together’

The developers of two of the most sophisticated pieces of malware ever created – Stuxnet and Flame – cooperated at least once, according to security firm Kaspersky.

Replicated code has been discovered across Stuxnet and Flame, providing “very strong evidence” the teams behind the malware shared source code with one another at early stages of their development, the Russian firm said.

Researchers found a module from the early 2009 version of Stuxnet – a module known as “Resource 207” – that turned out to be a Flame plugin. That module was used to spread the infection over USB drives via autorun.inf, a technique that was identical in the two malware.

Furthermore, the code for distribution using USB drives was completely identical in both, Kaspersky found.

The Resource 207 module was dropped in later versions of Stuxnet. It was also used to exploit a once-unknown flaw in a Windows application to escalate privileges in the system once a machine was infected via a USB.

US developing ‘multiple cyber weapons’?

Kaspersky said that although the Stuxnet and Flame teams coordinated, they were not using the same development platform. Stuxnet used the Tilded platform, whereas Flame used a separate framework. The findings also indicated Flame could be older than Stuxnet.

“By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence (we currently date its creation to no later than summer 2008) and already had modular structure,” said Kaspersky Lab expert Alexander Gostev, in a blog post.

“After 2009, the evolution of the Flame platform continued independently from Stuxnet.

“The above conclusions point to the existence of two independent developer teams, which can be referred to as ”Team F” (Flame) and ”Team D” (Tilded). Each of these teams has been developing its own platform since 2007-2008 at the latest.

“In 2009, part of the code from the Flame platform was used in Stuxnet. We believe that source code was used, rather than complete binary modules. Since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities.”

Gostev said that he was confident Flame and Tilded are completely different platforms, used to develop “multiple cyber-weapons”.

This month, it emerged that the US was responsible for creating Stuxnet in a partnership with Israel, which could mean both were also behind Flame. One of Flame’s propagation methods involved the replication of Microsoft certificates – something Mikko Hypponen, chief research officer at F-Secure, thinks would anger the Redmond firm.

“If Flame was done in USA, it would mean that Microsoft Update was hacked by a US Goverment Agency. Microsoft must be mad as hell,” Hypponen tweeted.

Are you a security geek? Try our quiz!