Source code smoking gun links Stuxnet AND Flame
Kaspersky: Devious cyber-weapons share software DNA
A direct link exists between the infamous uranium enrichment sabotage worm Stuxnet and the newly uncovered Flame mega-malware, researchers have claimed.
Russian virus protection outfit Kaspersky Lab said in a blog post yesterday that although two separate teams worked on Stuxnet and Flame, the viruses' programmers "cooperated at least once during the early stages of development".
The smoking gun, in the lab's opinion, is a component in an early build of Stuxnet that appears in Flame as a plugin.
The New York Times revealed this month that Stuxnet's infiltration of Iran's nuclear programme, and subsequent knackering of the Middle East nation's uranium centrifuges, was a joint effort by US and Israel. The project, publicly uncovered in June 2010, was initiated by the Bush administration and continued under President Barack Obama.
Stuxnet, which notoriously exploited previously unknown security vulnerabilities in Microsoft Windows to gain access to industrial control systems, was long believed to be state-sponsored and developed by an American-Israeli alliance.
Meanwhile the Flame malware - a sophisticated data-stealing worm that has also been burning through computers in the Middle East and beyond - was active for up to two years before being unearthed by security experts in May this year. A self-destruct command was issued to the espionage virus by its shadowy handlers last week, and to us on the security desk at Vulture Central that sounds an awful lot like a James Bond mission gone wrong.
Here's a quick rundown of what Kaspersky Lab found during its research:
- A module from the early 2009-version of Stuxnet, known as "Resource 207", was actually a Flame plugin.
- This means that when the Stuxnet worm was created in the beginning of 2009, the Flame platform already existed, and that in 2009, the source code of at least one module of Flame was used in Stuxnet.
- This module was used to spread the infection via USB drives. The code of the USB drive infection mechanism is identical in Flame and Stuxnet.
- The Flame module in Stuxnet also exploited a vulnerability which was unknown at the time and which enabled escalation of privileges, presumably MS09-025.
- Subsequently, the Flame plugin module was removed from Stuxnet in 2010 and replaced by several different modules that utilized new vulnerabilities.
- Starting from 2010, the two development teams worked independently, with the only suspected cooperation taking place in terms of exchanging the know-how about the new 'zero-day' vulnerabilities.
Importantly, according to Kaspersky Lab's investigation, the Resource 207 module - an encrypted DLL file - contained a 341,768-byte executable file named atmpsvcn.ocx that has lots in common with the code used in the Flame malware.
"The list of striking resemblances includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming," the security experts added.
Kaspersky Lab's chief boffin Alexander Gostev noted that completely different development platforms had been used to craft the separate viruses.
"The projects were indeed separate and independent from each other. However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected,” he said.
A technical look at how researchers spotted Flame's code nesting in the early Stuxnet version is available here. ®
Orientalists creeping out of the woodwork, fellating President Bomborama
Here is a heads up
0) Iran is still in good standing regarding their nuclear ambitions and all the top brass, even the military and intelligence ones, say that serious action towards building nukes has stopped in 2003 and hasn't continued since then. The fact that politicians disagree is neither here nor there as these are sociopaths without morals who will kill anyone for a longer stint at their taxpayer-provided desk.
1) Iran is not contravening any international treaty whatsoever in running their centrifuges. Indeed, they are adhering to the NPT which certain other countries haven't even signed.
2) Iranian religious authorities consider building nukes as morally reprehensible and issued a fatwa along those lines. How serious can you get?
2) Attacking some country because one feels like it and because it can be done is generally followed by war crimes trials and ropes hanging from rafters, mmmokay?
3) Indeed even threatening it with the usual "options on the table" bull is right out as per the UN charter.
4) So is killing random people on the streets of Tehran by gun or sticky bomb.
5) Cyber-attacking is also a no-no. Remember our western geniuses saying "act of war" about that kind of retardation?
More likely they have the replacement for this one either ready to go or already in place. They know it's a matter or time before it's discovered and lay out plans ready :)
I'm more interested in these unknown vulnerabilities they used. Do they have a team of elite hackers searching for vulnerabilities, or do they purchase them on the black market, or do they just pay a guy who works at MS to take care of it?
I've never believed the stories of CIA backdoors added in by MS, but a CIA operative working undercover at MS adding the odd vulnerability and letting the boss at Langley know? That's actually pretty plausible, and would explain the rumours.
Re: Orientalists creeping out of the woodwork, fellating President Bomborama
+1 from me, purely because your numerical list is zero indexed :)