Kaspersky Labs claims Stuxnet and Flame developers connected
Two weeks ago we reported that security suite maker Kaspersky Labs had uncovered the Flame bonnet, which it claimed could be the most lethal cyber weapon of its kind. At the time, it had been noted that the Flame was much more complex than Stuxnet and was not related. After extensive research, the experts at Kaspersky Labs have found out that there is a link between Stuxnet and Flame with the developers being connected.
Their research claims that the earliest known version of Stuxnet from 2009 contained a special module called Resource 207, but the 2010 version of Stuxnet did contain this module. The “Resource 207” module was an encrypted DLL file and it contains an executable file with the name “atmpsvcn.ocx and this file has a lot in common with the code used in Flame.
Kaspersky Labs point towards a list of similar mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming. In fact, the research has found out that most sections of the code are identical or highly similar with respect to Stuxnet and Flame modules. The level of similarity only points towards the conclusion that at some point the developers of Stuxnet and Flame shared their code.
The core functionality of the Resource 207 module was to distribute the infection from one machine to another, using removable USB drives and exploiting the vulnerability in Windows kernel to obtain escalation of privileges within the system. And this very code is identical to the one used in the Flame.
In spite of this similarity and sharing of code, Kaspersky’s Chief Security Expert, Alexander Gostev, reiterates the fact that both bots have different purposes and are built on different architectures.
“Despite the newly discovered facts, we are confident that Flame and Stuxnet are completely different platforms, used to develop multiple cyber-weapons. They each have different architectures with their own unique tricks that were used to infect systems and execute primary tasks. The projects were indeed separate and independent from each other. However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected,” Gostev clarified.