After researchers identified the terrifying Flame malware
recently, they called it the most sophisticated cyber weapon they’d ever seen, which is impressive, considering how powerful the Stuxnet
and Duqu bugs that wrought havoc in the Middle East a couple of years ago were.
As it turns out, Flame
and Stuxnet and Duqu have quite a bit in common. Kasperky Labs has now had a chance to dissect Flame, and they have discovered strong evidence that the teams who developed Flame and Stuxnet worked together. (Previously, they determined that Stuxnet and Duqu were built on the same platform, called “Tilded”, which indicates that there was collaboration there, as well.)
L is code from DecrypString function from Resource 207; R is the same from Flame
The biggest piece of evidence pertains a module called “Resource 207”, which was in one of the early versions of Stuxnet, is more or less replicated in Flame. Resource 207’s job was to spread the infection from machine to machine. The code found in Resource 207 and the similar code in Flame share include, according to Kasperky Labs, “the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming.” Although researchers determined that Flame and Stuxnet/Duqu are built on different platforms, further similarities indicate that the Flame and Stuxnet teams flat-out swapped source code with one another, showing close collaboration at some point.
How it spreads
In a statement
, Kaspersky Lab’s Chief Security Expert Alexander Gostev said:
The projects were indeed separate and independent from each other. However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected.
There are more details available from Secure List, in a detailed blog post
The only good news here is that for the most part, consumers aren’t affected.