Indepth research shows that Flame and Stuxnet, two serious pieces of malware released against the Iranians were made in co-operation with each other. A report from Kapersky Labs today pretty much solidifies what many security experts assumed, that both programs were made by the same group.
According to the report, “a module from the early 2009-version of Stuxnet, known as “Resource 207,” was actually a Flame plugin.” Some other interesting points from the report include:
- Flame was created first, as Stuxnet includes one of Flames Modules
- Flame and Stuxnet use the same USB infector mechanism
- In 2010, Flame and Stuxnet joint development seems to have ended
The module that was shared between both programs is called “Resource 207”. According to Kapersky, the “module is an encrypted DLL file and it contains an executable file that’s the size of 351,768 bytes with the name “atmpsvcn.ocx”. This particular file, as it is now revealed by Kaspersky Lab’s investigation, has a lot in common with the code used in Flame.”
“The primary functionality of the Stuxnet “Resource 207” module was distributing the infection from one machine to another, using the removable USB drives and exploiting the vulnerability in Windows kernel to obtain escalation of privileges within the system. The code which is responsible for distribution of malware using USB drives is completely identical to the one used in Flame.“
The code seemed to be shared at the program level, not the binary level. This actually makes a lot of sense. Two teams, one presumably American and one Israeli could have worked together with the overall attack plan, and co-created the code. Then they could have split up to create code to accomplish individual end goals. One being disabling the physical equipment and process, the other being remote access tool and data miner.
Cool stuff, makes you wonder what else Israel and the US is working on.