Flame Spyware Directly Connected to Stuxnet, Russian Firm Says
CREDIT: Fir0002/Creative Commons
The recently discovered Flame spyware is directly connected to Stuxnet, researchers at a Russian security firm said today (June 11).
An early version of Stuxnet dating from 2009 contained a software module that enabled the spread of the infection across USB flash drives, and also contained a "zero-day" exploit of a then-unknown Microsoft vulnerability to gain escalated privileges inside an infected machine.
The findings, released today by Moscow-based Kaspersky Lab, indicate that "by the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence (we currently date its creation to no later than summer 2008) and already had modular structure," wrote Kaspersky researcher Alexander Gostev on the firm's SecureList blog.
"We were wrong ... in that we believed Flame and Stuxnet were two unrelated projects," Gostev wrote.
"This is of huge importance to computer security as a whole," Boston-based Kaspersky researcher Roel Schouwenberg said in an online news conference following Gostev's posting.
The shared USB-infection module, dubbed "Resource 207," first appeared in the initial version of Stuxnet, which was created in June 2009, Gostev wrote.
Two later versions of Stuxnet, which were altered to more efficiently attack Iran's uranium-processing facility at Natanz in the summer of 2010, replaced Resource 207 with other components.
But October 2010, Kaspersky's automated malware-tracking software detected what it flagged as a fourth variant of Stuxnet. At the time, Kaspersky's researchers examined the new piece of malware, determined it bore no relation to Stuxnet, and shelved it away.
Flame's sudden discovery on May 28 prompted security researchers all over the world to re-examine their malware logs to see when it first appeared — and Kaspersky's check threw up the "fourth" variant of Stuxnet as a possible match.
"It turns out that Stuxnet's resources actually contain a Flame platform component," Gostev wrote.
To be more precise, Resource 207 is one of about two dozen plug-ins that can be added to the Flame platform to customize it against specific espionage targets.
Its inclusion in the first version of Stuxnet demonstrates that the Flame and Stuxnet developers were sharing code in 2009 — but apparently never shared code again.
"After 2009, the evolution of the Flame platform continued independently from Stuxnet," Gostev wrote.
It's possible that Resource 207 was provided to either or both groups of developers by a third party, which would undermine the Kaspersky assertion that the Stuxnet and Flame developers shared resources.
Kaspersky came under criticism from other security researchers after it, along with research groups in Hungary and Iran, disclosed the existence of Flame on May 28.
The company was accused of exaggerating Flame's capabilities and sophistication, and even of being a proxy for the Russian government and for a United Nations agency that wants to remove major sections of the Internet from U.S. government control.
Asked how he would respond to similar criticism regarding the Flame-Stuxnet link, Schouwenberg responded that the code would support Kaspersky's claims.
"I think others will back up these claims as they do their own research," Schouwenberg said during the Kaspersky news conference. "This is new ground, and we need to understand how it works and what it means."
Kaspersky's assertion that Flame is among the most sophisticated pieces of malware ever developed has been buttressed in the past two weeks as more has emerged about the super-spyware bug.
On June 4, Microsoft revealed that Flame used a forged Microsoft digital certificate to mimic Windows Update in order to spread to all Windows machines on a computer network, a development that F-Secure researcher Mikko Hypponen called the "Holy Grail" of malware features.
Two days later, two Dutch researchers showed that Flame's fake Microsoft digital certificate had been forged using groundbreaking mathematical techniques.
The Flame developers did something nearly impossible: they created a crypographic "collision," producing the same extremely large number that a Microsoft secret key would have produced when input into a cryptographic algorithm.
"The design of this new variant required world-class cryptanalysis," said one of the Dutch researchers.
Few experts now dispute that Flame was developed for espionage purposes by a well-funded group of researchers and programmers working for a national government. The remaining question is: Which national government?
On June 1, four days after the disclosure of Flame, The New York Times published a well-researched story establishing that American and Israeli government researchers worked together to create Stuxnet.
Neither government has disputed the allegations, and the U.S. Justice Department has launched an investigation to find who leaked details to the Times' reporter.
If the U.S. government developed Flame as well, that would mean its team was actively involved in undermining the security of Windows, America's biggest software export.
Another scenario is that Flame is an Israeli product, and that Resource 207 was brought to the Stuxnet project by the Israeli military-intelligence researchers who joined their American counterparts in producing Stuxnet after the Stuxnet project had already begun. (American and Israeli sources have each claimed in the press that their nation originated Stuxnet.)
Rumors in the Israeli press have connected Flame to a brewing political scandal in Israel, which alleges that Defense Minister Ehud Barak and former head of the armed forces Gabi Ashkenazi spied on each other and even tried to undermine the other with forged memos.
"Our Israeli source tells us that the Shin Bet [Israeli domestic intelligence] installed Flame on the computer of Barak's chief of staff after Ashkenazi complained the former was spying on him," Britain's Guardian newspaper said Friday (June 8).