RSS Feed
June 12th, 2012 
FAKE NEWS for the Zionist agenda A chunk of code used in both Stuxnet and Flame shows that the developers of the two pieces of malware shared their work, researchers at Kaspersky Lab have revealed.
Stuxnet.A and Flame share a piece of identical code — the function to distribute malware from one machine to another using USB drives.
(Credit: Kaspersky Lab)
There were two independent developer teams, with Flame development preceding Stuxnet, and each team developing its own code platform since 2007-08 at the latest, the researchers said. Both projects were state sponsored, and Stuxnet was specifically designed to sabotage Iran’s nuclear program, experts believe.
In addition, a previously undiscovered elevation-of-privilege Windows exploit is in Stuxnet.A, an early variant of the malware. This was outlined by Roel Schouwenberg, senior researcher at Kaspersky Lab, in a web conference with reporters.
“We have a new old zero-day,” he said, referring to an attack that exploits a previously unknown and unpatched vulnerability. “It was a zero-day at the time of creation and most likely at the time of deployment.”
That brings to five the number of zero-day exploits that Stuxnet used. The exploit, created in February 2009, is “strikingly similar” to one that was patched by Microsoft in June 2009, researchers said.
Stuxnet.A, which dates to about June 2009, contains a module known as “Resource 207”, which is an encrypted dynamic-link library file that has an executable file that Kaspersky researchers say shares code with Flame. Resource 207 was not in Stuxnet.B, which came out in 2010. The primary functionality of the code in Stuxnet is to distribute the infection from one machine to another via removable USB drives, and exploit the vulnerability in Windows kernel to obtain escalation of privileges within the system, according to Kaspersky. The code responsible for distributing malware via USB drives is completely identical to the one used in Flame, the researchers said. They both use the Autorun function in Windows.
Initially, Kaspersky researchers speculated that the projects were parallel, but were hesitant to say that they were developed or commissioned by the same party. Now, a more definite link has been established and a timeline is more clear.
“We firmly believe the Flame platform predates the Stuxnet platform. It looks like the Flame platform was a kick-starter of sorts to get the Stuxnet project going,” Schouwenberg said. “The operations went separate ways, maybe because Stuxnet code was mature enough to be deployed in the wild. Now, we are 100 per cent sure that the Stuxnet and Flame groups worked together.”
Still, Alexander Gostev, chief security expert at Kaspersky Lab, was careful to highlight the distinctions between Flame and Stuxnet, which has architecture called the “Tilded platform”.
“Despite the newly discovered facts, we are confident that Flame and Tilded are completely different platforms, used to develop multiple cyberweapons,” he said in the news release.
“They each have different architectures with their own unique tricks that were used to infect systems and execute primary tasks. The projects were indeed separate and independent from each other. However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyberweapons are connected.”
Even though Stuxnet targeted industrial facilities, it also infected regular PCs, and, as a result, was discovered in June 2010, about a year after the earliest known version was believed to be created. In September 2011 came Duqu, which has identical code to Stuxnet, but which appeared designed for cyber espionage instead of sabotage. Flame was discovered last month.
Like Stuxnet, Flame has turned out to be complex. Its creators used domain names registered with fake names to communicate with infected computers in the Middle East for at least four years. Flame was able to spread to new networks by using a spoofed Microsoft digital certificate, a technique used by Stuxnet, using a sophisticated cryptographic attack method. After Flame was exposed, its creators initiated a self-destruct program in an attempt to make the malware disappear.
In an article earlier this month, New York Times reporter David Sanger confirmed long-held suspicions that the US was behind Stuxnet and Flame. Sanger, citing unnamed US government sources, wrote that Stuxnet was developed by the US, possibly with help from Israel, as a way to pre-empt a military strike against Iran over its nuclear program. Israel has denied involvement in both Stuxnet and Flame, while the US has not outright distanced itself from either.
Here is a summary from Kaspersky Lab of its latest findings:
By the time Stuxnet was created (in January-June 2009), the Flame platform was already in existence (we currently date its creation to no later than summer 2008) and already had modular structure
The Stuxnet code of 2009 used a module built on the Flame platform, probably created specifically to operate as part of Stuxnet
The module was removed from Stuxnet in 2010 due to the addition of a new method of propagation (vulnerability MS10-046) instead of the “old” autorun.inf
The Flame module in Stuxnet exploited a vulnerability, which was unknown at the time, a true zero-day. This enabled an escalation of privileges, presumably exploiting MS09-025
After 2009, the evolution of the Flame platform continued independently from Stuxnet.
Kaspersky has discussed the details of its discoveries in a blog post.
Via CNET
Posted in 
Tags: 
