Researchers at Kaspersky Lab have indicated that one of the primary modules that make up the recently discovered Flame malware is identical to that of code found in their analysis of the Stuxnet virus.
The code, used in the Resource 207 module that employs the Windows autorun feature, allows both pieces of malware to spread by way of removable USB memory sticks.
"Despite the fact that Stuxnet has been the subject of in-depth analysis by numerous companies and experts and lots has been written about its structure, for some reason, the mysterious “resource 207” from 2009 has gone largely unnoticed. But it turns out that this is the missing link between Flame and Stuxnet, two seemingly completely unrelated projects," writes Kaspersky researcher Aleks.
Kaspersky's preliminary analysis of the code for the two trojans had initially led the team to believe the undertakings were unrelated and "based on different architectures and each with their own distinct characteristics" given that "Flame never uses system drivers, while Stuxnet and Duqu’s main method of loading modules for execution is via a kernel driver," Aleks states.
Subsequent analysis has led Kaspersky researchers to conclude they were wrong.
"Wrong, in that we believed Flame and Stuxnet were two unrelated projects. Our research unearthed some previously unknown facts that completely transform the current view of how Stuxnet was created and its link with Flame," Aleks writes.
Kasperky notes that the key to the connection between Flame and Stuxnet is hidden in the under-analyzed "resource 207" module, and their investigation shows that Flame may have been developed simultaneously along side Stuxnet, or that elements of Flame may have even preceded those of Stuxnet.
"Despite the fact that Stuxnet has been the subject of in-depth analysis by numerous companies and experts and lots has been written about its structure, for some reason, the mysterious 'resource 207' from 2009 has gone largely unnoticed. But it turns out that this is the missing link between Flame and Stuxnet, two seemingly completely unrelated projects... It turns out that Stuxnet’s resources actually contain a Flame platform component," Aleks explained.
Like Duqu, Flame appears to be designed as an intelligence gathering tool rather than a method of payload delivery like Stuxnet, which targeted Siemens Programmable Logic Controllers (PLCs), and is thought to have caused severe damage to Iranian uranium enrichment facilities.
Kaspersky researchers made the connection after noticing that Flame was originally identified as a Stuxnet strain by their systems. This led the team to further investigate why the system had made that classification.
"Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to 'resource 207' from Stuxnet. It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection," Aleks wrote.
Kaspersky's analysis also provides further confirmation that Stuxnet and Flame were authored by the same programmers, though there are indications they may have ultimately been developed by separate teams.
"The exploit code in the file atmpsvcn.ocx is similar to that which we, Kaspersky Lab, found in the 2010 versions of Stuxnet and which was subsequently addressed by the MS10-073 patch. The code’s style, logic and details of its implementation were the same in the 2009 and 2010 code. Clearly, these two pieces of exploit code were written by the same programmer."
Kaspersky's analysis has led the team to the following conclusions:
- "By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence (we currently date its creation to no later than summer 2008) and already had modular structure"
- "The Stuxnet code of 2009 used a module built on the Flame platform, probably created specifically to operate as part of Stuxnet"
- "The module was removed from Stuxnet in 2010 due to the addition of a new method of propagation (vulnerability MS10-046) instead of the “old” autorun.inf"
- "The Flame module in Stuxnet exploited a vulnerability which was unknown at the time, a true 0-day. This enabled an escalation of privileges, presumably exploiting MS09-025"
- "After 2009, the evolution of the Flame platform continued independently from Stuxnet"
The modular nature of the design in these trojans could mean that variations of the malware tailored to target other critical components of control systems could already be in development.
A detailed explanation of Kasperky's analysis can be found here: