Security experts have revealed that the creators of the Flame malware and the notorious Stuxnet worm, the two deadliest malicious programs ever discovered, likely collaborated with one another during their development, to the extent that they even used the same source code.
The revelation will no doubt lead conspiracy theorists to point the finger of blame at the United States and Israeli governments, which have already been accused of launching Stuxnet at Iran as part of a cyberattack to undermine its suspected nuclear weapons program.
Roel Schouwenberg, of the Moscow-based Kaspersky Lab, announced the discovery earlier this week during an online presentation of his company’s findings:
“We’re very confident that the Flame team shared some of their source code with the Stuxnet group. It’s conclusive proof that the two worked together, at least once.”
Stuxnet, which is believed to have crippled Iran’s efforts at enriching nuclear fuel for many months, wasn’t discovered until the middle of 2010, although its first variant has since been traced back to at least June 2009.
Flame has a murkier history, but experts believe that the virus could be even older than Stuxnet, possibly dating back as far as 2008, or even earlier.
The two malicious programs are believed to have been designed for different purposes – Stuxnet for attack, and Flame for reconnaissance – yet both contain a module that seems to have been written by the same programmer, originating from an identical source code. The module concerned, known as “Resource 207” is able to transfer itself from PC to PC via USB flash drives, in effect turning humans into data mules, as SiliconANGLE reported yesterday.
Resource 207 exploited a vulnerability in Windows that was later patched in June 2009. However, at the time that the module was created, the vulnerability was still unpatched, and therefore a “zero-day” bug, according to Microsoft, who claimed at the time that it had not been exploited.
Kaspersky claim that this simply isn’t true: the EOP exploit of the Windows kernel vulnerability had in fact been used by both Flame’s and Stuxnet’s earlier versions.
Schouwenberg revealed that “The attack module had a creation date of February 2009. It exploited a zero-day at the time of creation, which was most likely at the time of Stuxnet’s deployment.”
The original variant of Stuxnet – called Stuxnet.a – is believed to have been relatively unsuccessful, or perhaps just ultra quiet. It was only in 2010, following the chaos unleashed by Stuxnet.b that security experts were able to identify the worm.
Kaspersky earlier published a detailed blog post that spelled out the similarities in the module used in the two malicious programs.
According to Kaspersky, the differences between the two are small but significant – they show that the authors of Flame, who carried out their work ahead of the Stuxnet team, most likely shared the module’s source code, rather than an executable file.
Schouwenberg argues that this is an important detail:
“[Flame's developers] shared their intellectual property with Stuxnet, which is huge news. In any kind of software endeavor, you don’t share your source code with just anyone. Source code is your ultimate possession. It’s your source of income, actually. So we’re really quite sure that the Flame team had to have approved the sharing of the code.”
Kaspersky and other security firms previously believed that the teams behind Flame and Stuxnet were funded by the same organization, but Schouwenberg now claims that the evidence suggests that the two worked even more closely than that:
“This shows that the Flame and Stuxnet operations were parallel projects, and we’re now 100% sure they worked together.”