Researchers Connect Flame, Stuxnet Malware Development
Kaspersky researchers say the developer teams collaborated at least once during the development process.
Researchers at Kaspersky Lab have determined that the teams that developed the Stuxnet malware and the Flame malware "cooperated at least once during the early stages of development."
"There were two independent developer teams, with Flame development preceding Stuxnet and each team developing its own code platform since 2007-2008 at the latest, the researchers said," writes CNET News' Elinor Mills. "Both projects were state-sponsored, and Stuxnet was specifically designed to sabotage Iran's nuclear program, experts believe."
"The researchers believe the attackers may have used the Flame module to kickstart their Stuxnet project before taking both pieces of malware into different and separate directions," writes Wired's Kim Zetter. "They’ve detailed the similarities between the modules in Flame and Stuxnet in a blog post."
"The earliest known version of Stuxnet, supposedly created in June 2009, contains a special module known as 'Resource 207," the researchers write. "In the subsequent 2010 version of Stuxnet this module was completely removed. The 'Resource 207' module is an encrypted DLL file and it contains an executable file that’s the size of 351,768 bytes with the name 'atmpsvcn.ocx.'"
"This particular file, according to Kaspersky Lab, has a lot in common with the code used in Flame, including the names of mutually exclusive objects, the algorithm used to decrypt strings, and a similar approach to file naming," Infosecurity reports. "Most sections of code appear to be identical or similar in the Stuxnet and Flame modules, which leads to the conclusion that the exchange between Flame and the Stuxnet teams was done in the form of source code, Kaspersky Lab said."
"If the U.S. government developed Flame as well, that would mean its team was actively involved in undermining the security of Windows, America's biggest software export," writes SecurityNewsDaily's Paul Wagenseil. "Another scenario is that Flame is an Israeli product, and that Resource 207 was brought to the Stuxnet project by the Israeli military-intelligence researchers who joined their American counterparts in producing Stuxnet after the Stuxnet project had already begun. (American and Israeli sources have each claimed in the press that their nation originated Stuxnet.)"