Latest news
Flame and Stuxnet are linked, say researchers
Posted on 11.06.2012
Kaspersky Lab researchers who have been rooting into the code of the Flame toolkit since its discovery believe to have unearthed definitive proof that, at one point in time, the developers of both Stuxnet/Duqu and Flame worked together.
Among the three Stuxnet variants discovered, the second one was the one who spread the most and the one that was most thoroughly analyzed. But the first one - Stuxnet.A - is the one that bears the aforementioned evidence.
Created in June 2009, this variant differs greatly from the next one, which was created in March 2010.
For one, it didn't use the infamous MS10-046 LNK file vulnerability. It also had only one driver file, and it used a "special trick" with the autorun.inf file to infect USB drives.
But, there was one module - dubbed "resource 207" - which was not used again in the second version. But, as it turned out, it is the thing that links Flame and Stuxnet.
According to the researchers, in October 2011 the company's automatic system detected a sample that got classified as a Stuxnet variant. At the time, they believed that it was a false positive, was disregarded, and named simply Tocy.a.
But when Flame was recently discovered, they went again through the system logs in search for samples that might have been it.
"Between samples that looked almost identical to Flame, we found Tocy.a," they shared. "Why did the system think that this Flame sample was related to Stuxnet? Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to 'resource 207' from Stuxnet. It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection."
So, it turns out, "resource 207" is actually a Flame plugin. "Or, to be more precise, 'proto-Flame' – a module that obviously has a lot in common with the current version of mssecmgr.ocx and which had evolved into Flame by 2012."
Resource 207's main aim was to perform the aforementioned trick with the autorun.inf file to infect USB drives by performing a privilege escalation exploit and injecting Stuxnet into the system processes.
But, after the vulnerability was patched four months later, resource 207 lost its effectiveness, and was consequently dropped from later Stuxnet versions due to the addition of a new method of propagation (vulnerability MS10-046).
"By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence and already had modular structure," say the researchers. "After 2009, the evolution of the Flame platform continued independently from Stuxnet."
They came to the conclusion that two independent developer teams continued to work on the malware, but separated their efforts. One, working on the Flame platform, created Flame - a complex cyber espionage tool. The other, using the "Tilded" platform, developed Stuxnet, whose goal was to perform cyber sabotage.
"In 2009, part of the code from the Flame platform was used in Stuxnet. We believe that source code was used, rather than complete binary modules. Since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities," they concluded.
All this, combined with the sophisticated and effective misuse of the Windows Update mechanism, seems to confirm the theory that behind these efforts is a resource-rich nation state.
Whether (as some reports would have it) that nation state is the US aided by Israel, it's still impossible to tell.
Among the three Stuxnet variants discovered, the second one was the one who spread the most and the one that was most thoroughly analyzed. But the first one - Stuxnet.A - is the one that bears the aforementioned evidence.
Created in June 2009, this variant differs greatly from the next one, which was created in March 2010.
For one, it didn't use the infamous MS10-046 LNK file vulnerability. It also had only one driver file, and it used a "special trick" with the autorun.inf file to infect USB drives.
But, there was one module - dubbed "resource 207" - which was not used again in the second version. But, as it turned out, it is the thing that links Flame and Stuxnet.
According to the researchers, in October 2011 the company's automatic system detected a sample that got classified as a Stuxnet variant. At the time, they believed that it was a false positive, was disregarded, and named simply Tocy.a.
But when Flame was recently discovered, they went again through the system logs in search for samples that might have been it.
"Between samples that looked almost identical to Flame, we found Tocy.a," they shared. "Why did the system think that this Flame sample was related to Stuxnet? Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to 'resource 207' from Stuxnet. It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection."
So, it turns out, "resource 207" is actually a Flame plugin. "Or, to be more precise, 'proto-Flame' – a module that obviously has a lot in common with the current version of mssecmgr.ocx and which had evolved into Flame by 2012."
Resource 207's main aim was to perform the aforementioned trick with the autorun.inf file to infect USB drives by performing a privilege escalation exploit and injecting Stuxnet into the system processes.
But, after the vulnerability was patched four months later, resource 207 lost its effectiveness, and was consequently dropped from later Stuxnet versions due to the addition of a new method of propagation (vulnerability MS10-046).
"By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence and already had modular structure," say the researchers. "After 2009, the evolution of the Flame platform continued independently from Stuxnet."
They came to the conclusion that two independent developer teams continued to work on the malware, but separated their efforts. One, working on the Flame platform, created Flame - a complex cyber espionage tool. The other, using the "Tilded" platform, developed Stuxnet, whose goal was to perform cyber sabotage.
"In 2009, part of the code from the Flame platform was used in Stuxnet. We believe that source code was used, rather than complete binary modules. Since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities," they concluded.
All this, combined with the sophisticated and effective misuse of the Windows Update mechanism, seems to confirm the theory that behind these efforts is a resource-rich nation state.
Whether (as some reports would have it) that nation state is the US aided by Israel, it's still impossible to tell.
Spotlight
Is it time to professionalize information security?
Posted on 23 May 2013. | The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate.
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
