Shared code indicates Flame, Stuxnet creators worked together
Researchers at Kaspersky Lab say code is shared in the two threats and that there was an exploit in Stuxnet that was previously unknown.
A chunk of code used in both Stuxnet and Flame shows that the developers of the two pieces of malware shared their work, researchers at Kaspersky Lab said today.
There were two independent developer teams, with Flame development preceding Stuxnet and each team developing its own code platform since 2007-2008 at the latest, the researchers said. Both projects were state-sponsored, experts believe.
In addition, a previously undiscovered elevation-of-privilege exploit is in Stuxnet.A, an early variant of the malware that experts believe was developed to sabotage Iran's nuclear program, Roel Schouwenberg, senior researcher at Kaspersky Lab, said in a Web conference with reporters.
"We have a new old Zero-Day," he said, referring to an attack that exploits a previously unknown and unpatched vulnerability. "It was a Zero-Day at the time of creation and most likely at the time of deployment." That brings to five the number of Zero-Day exploits Stuxnet used.
Initially, Kaspersky said Flame, which allows an attacker to conduct cyberespionage, and Stuxnet were possibly parallel projects. Now the connection is believed to be much tighter and Flame is thought to have been in development before Stuxnet.
"We firmly believe the Flame platform predates the Stuxnet platform. It looks like the Flame platform was a kick-starter of sorts to get the Stuxnet project going," Schouwenberg said. "The operations went separate ways, maybe because Stuxnet code was mature enough to be deployed in the wild. Now we are 100 percent sure that the Stuxnet and Flame groups worked together."
Here is a summary from Kaspersky Lab of its latest findings:
- By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence (we currently date its creation to no later than summer 2008) and already had modular structure.
- The Stuxnet code of 2009 used a module built on the Flame platform, probably created specifically to operate as part of Stuxnet.
- The module was removed from Stuxnet in 2010 due to the addition of a new method of propagation (vulnerability MS10-046) instead of the "old" autorun.inf.
- The Flame module in Stuxnet exploited a vulnerability which was unknown at the time, a true Zero-Day. This enabled an escalation of privileges, presumably exploiting MS09-025.
- After 2009, the evolution of the Flame platform continued independently from Stuxnet.
Kaspersky discusses the details of its discoveries in a blog post today.