Kaspersky Lab researchers who have been rooting into the code of the Flame toolkit since its discovery believe to have unearthed definitive proof that, at one point in time, the developers of both Stuxnet/Duqu and Flame worked together.
Among the three Stuxnet variants discovered, the second one was the one who spread the most and the one that was most thoroughly analyzed. But the first one – Stuxnet.A – is the one that bears the aforementioned evidence.
Created in June 2009, this variant differs greatly from the next one, which was created in March 2010.
For one, it didn’t use the infamous MS10-046 LNK file vulnerability. It also had only one driver file, and it used a “special trick” with the autorun.inf file to infect USB drives.
But, there was one module – dubbed “resource 207” – which was not used again in the second version. But, as it turned out, it is the thing that links Flame and Stuxnet.
According to the researchers, in October 2011 the company’s automatic system detected a sample that got classified as a Stuxnet variant. At the time, they believed that it was a false positive, was disregarded, and named simply Tocy.a.
But when Flame was recently discovered, they went again through the system logs in search for samples that might have been it.
“Between samples that looked almost identical to Flame, we found Tocy.a,” they shared. “Why did the system think that this Flame sample was related to Stuxnet? Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to ‘resource 207’ from Stuxnet. It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection.”
So, it turns out, “resource 207” is actually a Flame plugin. “Or, to be more precise, ‘proto-Flame’ – a module that obviously has a lot in common with the current version of mssecmgr.ocx and which had evolved into Flame by 2012.”
Resource 207’s main aim was to perform the aforementioned trick with the autorun.inf file to infect USB drives by performing a privilege escalation exploit and injecting Stuxnet into the system processes.
But, after the vulnerability was patched four months later, resource 207 lost its effectiveness, and was consequently dropped from later Stuxnet versions due to the addition of a new method of propagation (vulnerability MS10-046).
“By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence and already had modular structure,” say the researchers. “After 2009, the evolution of the Flame platform continued independently from Stuxnet.”
They came to the conclusion that two independent developer teams continued to work on the malware, but separated their efforts. One, working on the Flame platform, created Flame – a complex cyber espionage tool. The other, using the “Tilded” platform, developed Stuxnet, whose goal was to perform cyber sabotage.
“In 2009, part of the code from the Flame platform was used in Stuxnet. We believe that source code was used, rather than complete binary modules. Since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities,” they concluded.
All this, combined with the sophisticated and effective misuse of the Windows Update mechanism, seems to confirm the theory that behind these efforts is a resource-rich nation state.
Whether (as some reports would have it) that nation state is the US aided by Israel, it’s still impossible to tell.