Share

Related Links

Related Stories

Top 5 Stories

News

Stuxnet, Flame authors cooperated, says Kaspersky Lab

11 June 2012

Kaspersky Lab researchers have uncovered evidence that suggests the Stuxnet and Flame worms have a common origin.

Researchers found that a critical module that the Flame worm used to spread itself is similar to a module used in an early version of Stuxnet, according to a Kaspersky Lab news release.

The Resource 207 module, used in an early version of Stuxnet, is an encrypted DLL file, and it contains an executable file that is the size of 351,768 bytes with the name “atmpsvcn.ocx”.

This particular file, according to Kaspersky Lab, has a lot in common with the code used in Flame, including the names of mutually exclusive objects, the algorithm used to decrypt strings, and a similar approach to file naming.

Most sections of code appear to be identical or similar in the Stuxnet and Flame modules, which leads to the conclusion that the exchange between Flame and the Stuxnet teams was done in the form of source code, Kaspersky Lab said.

The primary purpose of the Resource 207 module was distributing Stuxnet from one machine to another, using the removable USB drives and exploiting the vulnerability in Windows kernel to obtain escalation of privileges within the system. The code, which is responsible for distribution of malware using USB drives, is completely identical to the one used in Flame”, Kaspersky Lab explained.

“The new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyberweapons are connected”, commented Alexander Gostev, chief security expert at Kaspersky Lab, in a Securelist blog post.
 

This article is featured in:
Application Security  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×