A recent article in eWeek looks at claims that the Flame and Stuxnet creators may have collaborated. In the piece, eWeek tells us that Kaspersky Labs believes there is a connection between Stuxnet and Flame:
According to Kaspersky, the main module in Flame contains code similar to what was found in an early iteration of Stuxnet. The discovery is significant, as many have questioned whether or not there was a connection between Stuxnet, Duqu-also considered linked to Stuxnet-and Flame.
As it turns out, the first version of Stuxnet, referred to by Kaspersky as Stuxnet.A, appeared in June 2009 and differed greatly from later variants. The 2009 version, for example, did not use the MS10-046 LNK file vulnerability to propagate, but used a special trick with the autorun.inf file to infect USB drives. The 2009 version also only had one driver file, whereas the 2010 versions had two.
The most significant change, however, involves something called “resource 207,” a 520,192-bit DLL file that was dropped altogether in 2010 when its code was merged into other modules.
“Resource 207′s main functionality was to ensure Stuxnet propagation to removable USB drives via autorun.inf, as well as to exploit a then-unknown vulnerability in win32k.sys to escalate privileges in the system at [the] stage of infection from USB drive,” explained Alexander Gostev, head of the Global Research and Analysis team at Kaspersky.
“Spreading via autorun.inf is another trick that the Stuxnet 2009 version and the current variants of Flame have in common,” Gostev noted.
Inside Resource 207 is a portable executable (PE) file that is actually a Flame plug-in, or more precisely, a proto-Flame module that has “obviously a lot in common” with the current version of its main module, mssecmgr.ocx, Gostev added.
This shared code, said Kaspersky Senior Virus Analyst Roel Schouwenberg, proves that there is a direct link between the pieces of malware and that there was early collaboration between their creators.
A little further down in the article, Bayshore Networks Founder and CEO Francis Cianfrocca is quoted as suggesting that the increasing use of cyber-weapons – especially ones such as we are seeing in Stuxnet, Duqu, and now Flame – is actually helping to proliferate them, and is in a sense fostering a cyber arms race:
“The implications for war are interesting for two reasons: First, we must assume that multiple entities [possibly including sovereigns] are engaged in the same efforts; and second, technology is transferrable, as we’ve seen here,” noted Francis Cianfroca, chief executive officer at Bayshore Networks. “That means that as attacks become known and publicized, the techniques become easily exploitable by others. In a key sense, using cyber-weapons proliferates them. It’s quite plausible to think in terms of an arms race taking place in the subterranean cyber-world.”
Read the whole article HERE.
Bayshore Networks
Follow @Bayshorenet
EMail Us
Connect with Bayshore