Skip to main content

Kaspersky: Stuxnet, Flame Authors Worked Together

On Monday researchers at Kaspersky Lab said that code shared between Flame and Stuxnet indicates that their creators worked together at some point in development.

In the security firm's latest blog, Kaspersky said it believes Flame was actually the "kickstarter" project back in 2007-2008 before a separate team branched out to create the Tilded platform which Stuxnet and Dugu are based on. Both are believed to be state-sponsored projects.

"We discovered that the Tocy.a, an early module of Flame, was actually similar to 'resource 207' from Stuxnet," said Kaspersky's Aleks Gostev. "It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection."

Stuxnet's Resource 207 is an encrypted DLL file that contains another Portable Executable (PE) file inside. This one is actually a Flame plugin, or rather, a module that has a lot in common with the current version of "mssecmgr.ocx" and which had evolved into Flame by 2012. Resource 207 contains an Escalation of Privilege exploit and is using it at stage of infection from a USB drive for injecting the main Stuxnet body into the system processes.

"The exploit code in the file atmpsvcn.ocx is similar to that which we, Kaspersky Lab, found in the 2010 versions of Stuxnet and which was subsequently addressed by the MS10-073 patch," he said. "The code’s style, logic and details of its implementation were the same in the 2009 and 2010 code. Clearly, these two pieces of exploit code were written by the same programmer."

Kaspersky said so far it has only retrieved three variants of Stuxnet: one created in June 2009, one created in March 2010 and one in April 2010. Resource 207 was discovered in the 2009 variant, but was apparently dropped in the 2010 version. The code was instead merged into other modules.

"Despite the fact that Stuxnet has been the subject of in-depth analysis by numerous companies and experts and lots has been written about its structure, for some reason, the mysterious 'resource 207' from 2009 has gone largely unnoticed," he said. "But it turns out that this is the missing link between Flame and Stuxnet, two seemingly completely unrelated projects."

To get the full scoop on the missing link between Flame and Stuxnet, check out Kaspersky's blog here.