Security Researchers Discover Link Between Stuxnet and Flame

By Lucian Constantin, IDG-News-Service:Romania-Bureau

Security researchers from antivirus vendor Kaspersky Labs have found evidence that the development teams behind the Flame and Stuxnet cyberespionage threats collaborated with each other.

The Kaspersky researchers determined that Flame, which is believed to have been created in 2008, and a 2009-version of Stuxnet shared one component that served the same purpose and had similar source code.

Back in October 2010, Kaspersky’s researchers analyzed a sample that had been automatically classified as a Stuxnet variant by the company’s automated systems. At the time, the researchers dismissed the detection as an error because the sample’s code looked nothing like the code in Stuxnet.

However, after Flame was discovered at the end of May, the Kaspersky researchers searched their database for malware samples that might be related to the new threat and found that the sample detected as Stuxnet in 2010 was actually a Flame module. The module uses an autorun.inf trick to infect computers via USB drives.

Upon further research, the Kaspersky analysts determined that Stuxnet.A, which was created in early 2009, uses the same autorun.inf trick to spread via USB drives. In fact, the source code responsible for this is almost identical to the one in the Flame module.

“It looks like the Flame platform was used to kick start the Stuxnet platform,” said Roel Schouwenberg, a senior researcher with Kaspersky Lab’s global research and analysis team, during a conference call with the press.

Same Flaw Targeted

The Kaspersky researchers already knew that Stuxnet and Flame leveraged the same EoP vulnerability, but this wasn’t conclusive proof that their developers collaborated. The exploit could have been created by a third-party that sold it to both teams, Schouwenberg said.

However, the new discovery suggests that the developers of the two malware threats actually shared source code, which is intellectual property and wouldn’t normally be shared between unrelated teams. “We are now 100-percent sure that the Flame and Stuxnet groups worked together,” Schouwenberg said.

The Kaspersky researchers discovered that the Flame module integrated into Stuxnet.A exploited a Windows elevation of privilege (EoP) vulnerability that wasn’t known at the time of the malware’s creation. This would be the fifth zero-day (previously unknown) vulnerability exploited by Stuxnet, Schouwenberg said.

The researchers believe that this vulnerability was one that Microsoft patched in June 2009, a few months after the creation of Stuxnet.A, but they are not yet certain and are still investigating.

Later Stuxnet versions stopped using the Flame module entirely and began exploiting a separate vulnerability that relied on malformed LNK (shortcut) files to propagate via USB drives.

Interestingly, the exploit code from Stuxnet.A’s Flame-borrowed module is very similar to the exploit code for a different EoP vulnerability that’s present in later Stuxnet versions. The researchers believe that both sections of code were written by the same programmer.

Same Source, Different Purposes

When Microsoft patched the EoP vulnerability in 2009 — a few months after the creation of Stuxnet.A — the Stuxnet developers stopped using the Flame module for propagation and began exploiting a new vulnerability, which relied on malformed LNK (shortcut) files.

The theory put forward by the Kaspersky researchers is that Flame and Stuxnet were created by two separate teams as part of two operations funded by the same nation state. Flame was probably used for espionage and Stuxnet used for sabotage, Schouwenberg said.

According to a recent New York Times report that quotes anonymous sources from the Obama administration, Stuxnet was created by the U.S. and Israeli governments as part of a secret operation called Olympic Games with the goal of crippling Iran’s ability to produce weapon-grade nuclear fuel.

Cyberwarfare Gets Political

By Stefan Hammond,

This year there’s a Summer Olympics, a European football contest, and a U.S. presidential election. The Olympics return to London for the first time since 1948, the Euro Cup comes to Poland and Ukraine, and the U.S. election hinges on only a few states as the USA still uses a colonial-era “electoral college” which supersedes the popular vote.

This year’s Euro Cup features Eastern Europe locations — while Ukraine struggles with its public political image, Poland emerges as a player within the EU. Five years ago, I visited the stadium in Warsaw — it was a derelict, overgrown open-pit with rotting bleachers. Dodgy characters offered to sell me bootleg vodka and pirated CDs. Friends told me that handguns and AK-47s were sometimes on offer.

You’ll see the same stadium (considerably revamped) soon as a centerpiece for Euro Cup matches. Decades ago, Poland distanced itself from what former U.S. president Ronald Reagan called the “evil empire” (the Soviet Union), then the entire “Iron Curtain” came crashing down suddenly as Western newscasters struggled to pronounce the words “glastnost” and “perestroika” . . . and the USA lost its favorite arch-enemy.

But now the Euro Cup graces the former turf of the “evil empire,” and there’s another presidential election Stateside. Former U.S. chief executives could often conjure villains for the electorate — the now-kaput Soviet Union won’t do. What now? What appeals to “Generation Facebook”?

What else? “Cyberwarfare.” Given the rapid rise of personal-computing power, with resultant gaps in public-understanding of technology, the specter of villains lurking online — ready to crash essential systems in a concerted cyberstrike — holds more appeal than comparing Putin to Stalin.

Worm as Warfare

But a new report has wrenched the cyberwarfare-angle. According to the New York Times, the Stuxnet worm (one of the more sophisticated viruses ever found in the wild) is the result of “a joint US and Israeli effort to target Iran’s nuclear program.” IDG journalist Jaikumar Vijayan writes that the Times report “is sure to trigger a sharp increase in state sponsored cyberattacks against American businesses and critical infrastructure targets, security experts warn.”

“Alan Paller, director of research at the SANS Institute, said the revelation dramatically alters the cybersecurity landscape,” wrote Vijayan. “‘We are now going to be the target of massive attacks,’ Paller said…’for a long time everything has been under the radar, no one was really sure that the U.S. was practicing this kind of activity. The U.S. has acted like it was an innocent victim’ of state-sponsored attacks by other countries, he said.”

The damning Times article details some pithy moments: “‘Should we shut this thing down?’ Mr Obama asked, according to members of the president’s national security team who were in the room.”

Well, no, Mr. President, that’s not how properly constructed military-specification computer viruses work when they’re in attack-mode. You don’t hit the ‘Like’ button on your friend Mister Antivirus to make it all go away.

Stuxnet, (ironically code-named ‘Olympic Games’ and initiated by the Bush administration in 2006) “was of an entirely different type and sophistication,” according to the Times. “It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives,” said the article.

“Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons…could enable other countries, terrorists or hackers to justify their own attacks.”

Ready for Cyberbattle?

And in 2012, as Londoners discover the Ministry of Defense is considering placing surface-to-air missiles on residential flats during the Olympics, the Times article said “another cyberweapon called Flame was recently discovered to have attacked the computers of Iranian officials…American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack.”

The Olympic Flame seems to have acquired an unintentional double-meaning. But among these half-revealed tales of cyberwarfare, who are the real bad guys? Security experts know that malware is in a constant of flux, and actions often provoke reactions — just ask Sony about its experience with Anonymous.

Perhaps the U.S. president was prescient by repeatedly voicing his concern over the U.S. government’s actions. We can only hope that the technological expertise that created Stuxnet was also applied to hardening weak-points that may be attacked — now that the USA has lost the moral high-ground.

No word yet on whether the U.S. presidential candidates plan to make “cyberwarfare” a campaign-issue. Perhaps this particular issue has become too hot for mere politicians to handle.




Flame virus, most sophisticated malicious code ever seen, was developed by U.S. government

By J. D. Heyes, 
(NaturalNews) Anyone who has spent longer than a day on a computer knows how dangerous to your hard drive malware and other malicious code can be. Most of us have fallen victim to one or the other and have cursed the day the hacker who developed it was born. Now, according to reports, some of the most sophisticated malicious code ever developed is a product of the United States government, leaving more than a few tech experts and analysts concerned that maybe now, Washington has become a bigger…