Flame and Stuxnet devs shared zero day exploits

Kaspersky’s security labs have discovered the Flame and Stuxnet worms, which were designed to tear apart critical IT infrastructure in regimes opposed to US interests, cooperated at least once in the early stages of their development.

An Obama administration spokesperson recently confirmed to the New York Times’ David Sanger – who has a book coming out – that it was behind the Stuxnet worm, which laid ruin to Iran’s nuclear enrichment facilities. Rather than an expose, the story appeared just in time for the critical run-up to the 2012 presidential elections, where Obama and the Democrats seem to be going for the Republican vote. Mitt Romney, the Republican candidate, has claimed Obama has been too soft in his foreign policy. 

Now, Kaspersky’s in-depth research proves Flame and Stuxnet were, in fact, related. Whether they were separated brothers or distant cousins, it suggests that they originate from the same or similar sources, in the early stages.

Kaspersky discovered that a module from an early 2009 version of Stuxnet, called Resource 207, was a Flame plugin. Resource 207 is an encrypted DLL file that has an excutable file called atmpsvcn.ocx, which is incredibly similar to Flame’s code: they both had mutually exclusive objects, similar algorithms to decrypt strings, and similar approaches to file naming, the company reports.

After Stuxnet, the Duqu Trojan hit headlines, although it was designed to serve as a backdoor rather than to wreak havoc on infrastructure. During its investigation of Duqu, Kaspersky noted similarities with Stuxnet. The company realised they were both made with the same attack platform, known as the Tilded Platform. Kaspersky’s sleuthing lead it to claim “without a doubt” that Tilded is also connected to Flame.

The cyber security company explains that this means when Stuxnet was created at the begining of 2009, Flame already existed – with at least one module of Flame being used in Stuxnet. This particular module was designed and used to spread the infection by USB, and is identical in both worms, according to the company.

This plugin module was later removed from Stuxnet in 2010, replaced by others which exploited different vulnerabilities. Kaspersky says this indicates two development teams working independently, although it is suspected the cooperation could have continued – with the teams trading knowledge on zero-day vulnerabilities.

Kaspersky’s chief security expert, Alexander Gostev, said that he and the company are confident that Flame and Tilded are “completely different platforms”, used to make multiple cyber weapons. Although they have different architectures, Gostev says Kaspersky’s findings do reveal that the teams were sharing source code in the early stages of development.

Although the Democrats appeared strangely enthusiastic to admit Stuxnet’s responsibility, InfoSec Magazine quotes Israeli journalist Yossi Melman as suggesting Sanger’s book hasn’t got the story quite right. Israeli officials apparently told Melman that Israeli intelligence began a cyber campaign a few years earlier designed to damage Iran’s nuclear program.

Melman claims his sources understand the “sensitivity and the timing of the issue” – possibly giving a nod to the election campaign – and are “not going to be dragged into a battle over taking credit”.