Stuxnet and Flame: close cousins

By Ken Presti, on Jun 12, 2012 1:49 PM
Filed under Security

Common ancestor.

The malware commonly known as “Flame” appears to have a common origin with the military-grade Stuxnet worm.

That assessment comes from Kaspersky Labs, which has been comparing the two pieces of malware since Flame gained notoriety after being discovered by the Iranian government two weeks ago, as part of an alleged attack on the country’s oil facilities.

According to a blog post from Kaspersky researchers, “a critical module that the Flame worm used to spread is identical to a module used by Stuxnet.a, an early variant of the Stuxnet worm that began circulating in 2009, more than a year before a later variant of the worm was discovered by antivirus researchers at the Belarussian firm VirusBlokAda.”

Kaspersky now considers the module in question to be a Flame plug-in.

This discovery reverses the company’s earlier position, suggesting that Flame and Stuxnet showed no obvious link or common software ancestor, despite the fact that both attacks were concentrated on the Middle East, shared similar modes of transmission via USB storage devices, an exploitation of the Windows auto-run feature, and exploited the use of a print spooler vulnerability.

The Kaspersky report finds the two pieces of malware appear to have taken separate directions at some point after 2009, potentially caused by each worm being assigned to separate development teams.

Flame, however, appears to have been created first, and one of its modules was apparently used in the development of Stuxnet, potentially to exploit a zero-day vulnerability that enabled an escalation of privileges in a manner that was later patched by Microsoft. That module was removed in 2010, subsequent to the issuance of the patch.

A number of news reports point to the US and Israeli governments as the ultimate sources of Flame, Stuxnet, or both. While neither has become an issue to corporate networks at this point, channel partners say it will likely foster a renewed interest in information security.

“The sophistication and modularity of these two pieces of malware show us that highly competent individuals, possibly backed by governments, are involved,” said Garth Brown, president of the Semaphore Corporation, a Mercer Island, Washington-based VAR.

“The days when security threats were mostly coming from kids are now over. I expect to see an uptick in security spending, which until now, has usually happened only by the companies that get hit. As an industry, we haven’t had the right mindset. Hopefully, this changes that.”

Considered one of the most advanced pieces of malware ever discovered, Flame can upload a wide range of computerised information to command-and-control servers. It can also inject code, download additional malware, copy itself, delete itself and conduct a number of other operations, backed by complex encryption.

It was also able to leverage unauthorised digital certificates to make itself appear to be a Microsoft update until Microsoft patched that vulnerability last week.

This article originally appeared at

Follow us on Facebook and Twitter

Copyright © 2015 The Channel Company, LLC. All rights reserved.


Stuxnet and Flame: close cousins
Top Stories
Award winners from the 2015 CRN Fast50
[Photos] See who picked up a prize at the awards last week.
Hills chief: transformation cost us customers, staff, revenue
Will "get back to basics" after tumultuous years.
The red carpet at the 2015 CRN Fast50
[Photos] The nation's best resellers celebrate.
Sign up to receive CRN email bulletins
Was your most important vendor the same in 2015 as in 2014?

Latest Comments
CRN Magazine

Issue: 343 | October 2015

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.