Researchers link Stuxnet and Flame cyberweapons

 

Gallery

By Stewart Mitchell

Posted on 11 Jun 2012 at 16:30

Researchers have discovered a direct link between the Stuxnet virus that emerged two years ago and the recently discovered Flame cyber espionage virus.

Flame was discovered late last month targeting Middle Eastern computers, while Stuxnet was apparently designed to attack Iran's nuclear programme.

Initially, experts believed the two high-profile cyberweapons were from fundamentally different development stables, but according to security firm Kaspersky the tools share a similar lineage although the family tree split two years ago.

“By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence and already had modular structure,” said Alexander Gostev, head of the Global Research and Analysis Team at Kaspersky Lab in a blog post.

Since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities

“The Stuxnet code of 2009 used a module built on the Flame platform, probably created specifically to operate as part of Stuxnet.”

That module of Stuxnet was only in an early version of the virus, not the more commonly spotted 2010 edition, which explains why security researchers had failed to make the link before.

Spot the difference

Kaspersky said it had almost stumbled on the relationship when automatic tools highlighted that Flame contained similarities with a virus that had previously been flagged as a variant of Stuxnet.

“In October 2010, our automatic system received a sample from the wild. It analysed the file thoroughly and classified it as a new Stuxnet variant, Worm.Win32.Stuxnet.s,” said Gostev. “With Stuxnet being such a big thing, we looked at the sample to see what it was! Sadly, it didn’t look like Stuxnet at all, it was quite different. So we decided to rename it to Tocy.a and thought 'silly automatic systems'!"

It was only when the system also flagged Tocy.a as a varient of Flame that the similarity was spotted.

“We thought, how was it possible? Why did the system think that this Flame sample was related to Stuxnet? Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to 'resource 207' from Stuxnet," said Gostev.

"It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection.”

The finding raises the possibility of either a joint national cooperation - Israel and the US have both been muted as likely creators of the Stuxnet virus - or two departments within one country's cyber defence teams.

“We believe that source code was used, rather than complete binary modules,” said Gostev. “Since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities.”