Security Researchers Uncover Link Between Stuxnet, Flame Malware

Security Researchers Uncover Link Between Stuxnet, Flame Malware
Flame module was incorporated in early Stuxnet version, Kaspersky Lab researchers say
By Lucian Constantin
News Jun 12th 2012

Security researchers from antivirus vendor Kaspersky Labs have found evidence that the development teams behind the Flame and Stuxnet cyberespionage threats collaborated with each other.

The Kaspersky researchers determined that Flame, which is believed to have been created in 2008, and a 2009-version of Stuxnet shared one component that served the same purpose and had similar source code.

Back in October 2010, Kaspersky's researchers analyzed a sample that had been automatically classified as a Stuxnet variant by the company's automated systems. At the time, the researchers dismissed the detection as an error because the sample's code looked nothing like the code in Stuxnet.

However, after Flame was discovered at the end of May, the Kaspersky researchers searched their database for malware samples that might be related to the new threat and found that the sample detected as Stuxnet in 2010 was actually a Flame module. The module uses an autorun.inf trick to infect computers via USB drives.

Upon further research, the Kaspersky analysts determined that Stuxnet.A, which was created in early 2009, uses the same autorun.inf trick to spread via SB drives. In fact, the source code responsible for this is almost identical to the one in the Flame module.

"It looks like the Flame platform was used to kick start the Stuxnet platform," said Roel Schouwenberg, a senior researcher with Kaspersky Lab's global research and analysis team, during a conference call with the press.

The Kaspersky researchers already knew that Stuxnet and Flame leveraged at least one of the same Windows vulnerabilities, but this wasn't conclusive proof that their developers collaborated. The exploit could have been created by a third-party that sold it to both teams, Schouwenberg said.