Page 1 of 2
The malware commonly known as “Flame” appears to have a common origin with the military-grade Stuxnet worm.
That assessment comes from Kaspersky Labs, which has been comparing the two pieces of malware since Flame gained notoriety after being discovered by the Iranian government two weeks ago as part of an alleged attack on the country’s oil facilities.
According to a blog post from Kaspersky researchers, “a critical module that the Flame worm used to spread is identical to a module used by Stuxnet.a, an early variant of the Stuxnet worm that began circulating in 2009, more than a year before a later variant of the worm was discovered by antivirus researchers at the Belarussian firm VirusBlokAda.” Kaspersky now considers the module in question to be a Flame plug-in.
This discovery reverses the company’s earlier position, suggesting that Flame and Stuxnet showed no obvious link or common software ancestor, despite the fact that both attacks were concentrated on the Middle East, shared similar modes of transmission via USB storage devices, an exploitation of the Windows auto-run feature, and exploited the use of a print spooler vulnerability.
The Kaspersky report goes on to say that the two pieces of malware appear to have taken separate directions at some point after 2009, potentially caused by each worm being assigned to separate development teams. Flame, however, appears to have been created first, and one of its modules was apparently used in the development of Stuxnet, potentially to exploit a zero-day vulnerability that enabled an escalation of privileges in a manner that was later patched by Microsoft. That module was removed in 2010, subsequent to the issuance of the patch.
A number of news reports point to the U.S. and Israeli governments as the ultimate sources of Flame, Stuxnet, or both. While neither has become an issue to corporate networks at this point, channel partners say it will likely foster a renewed interest in information security.