The malware commonly known as “Flame” appears to have a common origin with the military-grade Stuxnet worm.
That assessment comes from Kaspersky Labs, which has been comparing the two pieces of malware since Flame gained notoriety after being discovered by the Iranian government two weeks ago, as part of an alleged attack on the country’s oil facilities.
According to a blog post from Kaspersky researchers, “a critical module that the Flame worm used to spread is identical to a module used by Stuxnet.a, an early variant of the Stuxnet worm that began circulating in 2009, more than a year before a later variant of the worm was discovered by antivirus researchers at the Belarussian firm VirusBlokAda.”
Kaspersky now considers the module in question to be a Flame plug-in.
This discovery reverses the company’s earlier position, suggesting that Flame and Stuxnet showed no obvious link or common software ancestor, despite the fact that both attacks were concentrated on the Middle East, shared similar modes of transmission via USB storage devices, an exploitation of the Windows auto-run feature, and exploited the use of a print spooler vulnerability.
The Kaspersky report finds the two pieces of malware appear to have taken separate directions at some point after 2009, potentially caused by each worm being assigned to separate development teams.
Flame, however, appears to have been created first, and one of its modules was apparently used in the development of Stuxnet, potentially to exploit a zero-day vulnerability that enabled an escalation of privileges in a manner that was later patched by Microsoft. That module was removed in 2010, subsequent to the issuance of the patch.
A number of news reports point to the US and Israeli governments as the ultimate sources of Flame, Stuxnet, or both. While neither has become an issue to corporate networks at this point, channel partners say it will likely foster a renewed interest in information security.
“The sophistication and modularity of these two pieces of malware show us that highly competent individuals, possibly backed by governments, are involved,” said Garth Brown, president of the Semaphore Corporation, a Mercer Island, Washington-based VAR.
“The days when security threats were mostly coming from kids are now over. I expect to see an uptick in security spending, which until now, has usually happened only by the companies that get hit. As an industry, we haven’t had the right mindset. Hopefully, this changes that.”
Considered one of the most advanced pieces of malware ever discovered, Flame can upload a wide range of computerised information to command-and-control servers. It can also inject code, download additional malware, copy itself, delete itself and conduct a number of other operations, backed by complex encryption.
It was also able to leverage unauthorised digital certificates to make itself appear to be a Microsoft update until Microsoft patched that vulnerability last week.