Stuxnet, Flame authors cooperated, says Kaspersky Lab

Researchers found that a critical module that the Flame worm used to spread itself is similar to a module used in an early version of Stuxnet, according to a Kaspersky Lab news release.

The Resource 207 module, used in an early version of Stuxnet, is an encrypted DLL file, and it contains an executable file that is the size of 351,768 bytes with the name “atmpsvcn.ocx”.

This particular file, according to Kaspersky Lab, has a lot in common with the code used in Flame, including the names of mutually exclusive objects, the algorithm used to decrypt strings, and a similar approach to file naming.

Most sections of code appear to be identical or similar in the Stuxnet and Flame modules, which leads to the conclusion that the exchange between Flame and the Stuxnet teams was done in the form of source code, Kaspersky Lab said.

The primary purpose of the Resource 207 module was distributing Stuxnet from one machine to another, using the removable USB drives and exploiting the vulnerability in Windows kernel to obtain escalation of privileges within the system. The code, which is responsible for distribution of malware using USB drives, is completely identical to the one used in Flame”, Kaspersky Lab explained.

“The new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyberweapons are connected”, commented Alexander Gostev, chief security expert at Kaspersky Lab, in a Securelist blog post.

What’s Hot on Infosecurity Magazine?