Stuxnet, Duqu and Flame made by same Team

Indepth research shows that Flame and Stuxnet, two serious pieces of malware released against the Iranians were made in co-operation with each other. A report from Kapersky Labs today pretty much solidifies what many security experts assumed, that both programs were made by the same group.

According to the report, “a module from the early 2009-version of Stuxnet, known as “Resource 207,” was actually a Flame plugin.” Some other interesting points from the report include:

  • Flame was created first, as Stuxnet includes one of Flames Modules
  • Flame and Stuxnet use the same USB infector mechanism
  • In 2010, Flame and Stuxnet joint development seems to have ended

The module that was shared between both programs is called “Resource 207”. According to Kapersky, the “module is an encrypted DLL file and it contains an executable file that’s the size of 351,768 bytes with the name “atmpsvcn.ocx”. This particular file, as it is now revealed by Kaspersky Lab’s investigation, has a lot in common with the code used in Flame.”

and,

The primary functionality of the Stuxnet “Resource 207” module was distributing the infection from one machine to another, using the removable USB drives and exploiting the vulnerability in Windows kernel to obtain escalation of privileges within the system. The code which is responsible for distribution of malware using USB drives is completely identical to the one used in Flame.

The code seemed to be shared at the program level, not the binary level. This actually makes a lot of sense. Two teams, one presumably American and one Israeli could have worked together with the overall attack plan, and co-created the code. Then they could have split up to create code to accomplish individual end goals. One being disabling the physical equipment and process, the other being remote access tool and data miner.

Cool stuff, makes you wonder what else Israel and the US is working on.

Move over Stuxnet, Say Hello to the new Cyberweapon: “Flame”


(Screenshot of Iran CERT warning for “Flame” Malware)

Yesterday Iran’s Computer Emergency Response Team released a warning about a new modular malware that resembled Stuxnet and Duqu. Dubbed “Flame”, the new cyberweapon is causing quite a stir in the media with it’s “advanced features and complexity”.

But looking at the malware’s features disclosed by Iran’s CERT team, it doesn’t seem very game stopping:

  • Distribution via removable medias
  • Distribution through local networks
  • Network sniffing, detecting network resources and collecting lists of vulnerable passwords
  • Scanning the disk of infected system looking for specific extensions and contents
  • Creating series of user’s screen captures when some specific processes or windows are active
  • Using the infected system’s attached microphone to record the environment sounds
  • Transferring saved data to control servers
  • Using more than 10 domains as C&C servers
  • Establishment of secure connection with C&C servers through SSH and HTTPS protocols
  • Bypassing tens of known antiviruses, anti malware and other security software
  • Capable of infecting Windows Xp, Vista and 7 operating systems
  • Infecting large scale local networks

All of these “threats” have been seen before. I especially liked the “bypassing tens of known anti-viruses…” line.

But there are several features that do set “Flame” apart from the pack. First of all the malware is very large, a whopping 20MB. Also, it contains several files and seems to be able to attack using swappable modules. But there is more.

According to an article on The Register, Flame has the following features:

  • It has been active for at least 2 years, but possibly 5-8 years
  • Contains exploits for known and fixed vulnerabilities
  • Uses open source libraries
  • Uses a SQLlite database
  • Uses some Scripts written in Lua (of Angry Birds fame)

All the big name security companies that have analyzed it seem to agree that with it’s complexity, it was most likely written by a Nation State and not individuals or small groups.

The malware could have been created by Israel (and possibly the US) as many of the countries that have detected infection would be logical targets for them.

As according to Symantec:

Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear.”

I am not sure of it’s “CyberWeapon” title, as it seems to be an information gatherer. Definitely worth keeping an eye on, but as with “APT” and “Stuxnet”, I am sure the media will beat this topic to death.

New Version of Duqu Found

On Tuesday, Symantec reported on their blog that they have found yet another variant of Stuxnet’s relative “Duqu”. Symantec lists 15 variants in their Duqu Whitepaper(PDF). This version is different as it uses a new infection technique. It installs via a loader file that executes on reboot. The loader file then decrypts and installs the remaining Duqu code from the hard drive.

With a compile date of February 23, 2012, it seems that the Stuxnet creators are still alive and well.

Downed Drone Proof of Secret War in Iran?

Iran steps up preparations for military conflict after a remarkably intact American RQ-170 Sentinel stealth reconnaissance drone is displayed on Iranian TV. But is the find proof of an impending invasion or just another clue to an effective covert war already being fought in Iran?

The evidence for a secret war is overwelming:

  • Stuxnet – Active since as early as 2006, destroyed more than 1,000 centrifuges in 2010
  • Duqu – Collected valuable information for future Stuxnet-like attacks and may have provided intel that led to several “mysterious explosions”
  • Some explosions targeted Iran’s Nuclear Scientists at their homes
  • An explosion at a secret missile base near Tehran killed the head of Iran’s long-range missile program along with 17 top members of Iran’s Revolutionary Guard
  • And an explosion rocked the  uranium conversion plant in Isfahan

Cyber attacks, numerous explosions and now a stealth reconnaissance drone captured, all unrelated coincidences? I think not. Neither does a retired senior Israeli General:

“There aren’t many coincidences,” retired Major-General Giora Eiland told Israel’s army radio, noting that it was the second attack on an Iranian nuclear site in a month.

“When there are so many events, there is probably some sort of guiding hand, though perhaps it’s the hand of God,” said Eiland, who is Israel’s former national security chief.

Iran hasn’t been completely silent in responding to these incidents. Several rockets struck near Israel’s border with Lebanon just hours after the explosion in Isfahan. And Iran has been increasing military production including shallow water submarines, presumably in preparation for an invasion.

Even the “US Virtual Iranian Embassy“, created to “reach out” to Iranians was blocked within hours of it’s launch.

Are you waiting for an attack on Iran by US and Israeli forces? The evidence is overwhelming, it has probably already been going on covertly for years.