Kaspersky Experts Find Connection Between Flame and Stuxnet

[Jack]

If up until now security researchers haven’t been able to find any direct connection between the new Flame and Stuxnet, further analysis has demonstrated that they’re very much related to each other, or at least they have been at some point in time.

Initially, experts didn’t consider the two pieces of malware related because Stuxnet (and Duqu) were created based on the Tilded platform, while Flame was not.

However, as it turns out, a particular component from Flame was used by Stuxnet to infect Iranian computers back in 2009.

Kaspersky researchers reveal that Flame was developed no later than the summer of 2008, while Stuxnet only emerged in the first half of the next year.

They assume that two independent teams have been building their own malware since 2007-2008, but in 2009 the creators of Stuxnet borrowed a little something from Flame called “resource 207.”

Resource 207 was a component that allowed Stuxnet to spread to USB drives via the infamous autorun.inf file. It also allowed it to exploit a zero-day in win32k.sys to escalate its privileges.

Further analysis has shown that “resource 207” is actually an encrypted DLL that contains a portable executable file which is actually a Flame plugin.

“Spreading via autorun.inf is another trick that the Stuxnet 2009 version and the current variants of Flame have in common. Resource 207 operates as an infector of removable drives, copying ‘Flame’ module as ‘autorun.inf’ file to removable media and adding a special real autorun.inf file at end of PE file,” Kaspersky's Alexander Gostev explained.

Read more: http://news.softpedia.com/news/Kaspersky-Experts-Find-Connection-Between-Flame-and-Stuxnet-274905.shtml

 

[Jack]

Very interesting article:

Flame virus wiped out by its creators
The Flame virus discovered last week targeting computers in Iran has been ordered to self-destruct, leaving no trace - and no indication of who created it.
While the 20MB behemoth contained a Suicide self-destruct module, its creators for some reason decided not to use this. Instead, they used a separate removal tool, browse32.ocx, downloaded from a command and control server still under the control of the attackers - a risky move, given the likelihood of detection.

"The module contains a long list of files and folders that are used by Flamer. It locates every file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection," says security company Symantec in a blog post.

This component contains a routine to generate random characters to use in the overwriting operation. It tries to leave no traces of the infection behind."

Read more: http://www.tgdaily.com/security-features/63944-flame-virus-wiped-out-by-its-creators

 

[Jack]

Just like in the case of Stuxnet, Israel and United States are considered more or less the authors of this cyber attack ...

U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say

The United States and Israel jointly developed a sophisticated computer virus nicknamed Flame that collected intelligence in preparation for cyber-sabotage aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.

Read more: http://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html

 

[ranget]

well that not shocking we always new that
beside who really want to hack iran other than US

to be honest beside anything Good Job US you gave us another reason not to trust the internet

 

[bogdan]

Good job US, you gave us another reason not to trust the Internet!

Good point. The fact that the US Gov. approved the stealing and forging of digital certificates, which are the best thing we have at the moment for online security worries me.