Flame and Stuxnet makers 'co-operated' on code

Source code was shared between the teams making the malware attacks, researchers said

Teams responsible for the Flame and Stuxnet cyber-attacks worked together in the early stages of each threat's development, researchers have said.

Flame, revealed last month, attacked targets in Iran, as did Stuxnet which was discovered in 2010.

Kaspersky Lab said they co-operated "at least once" to share source code.

"What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected," Kaspersky said.

Alexander Gostev, chief security expert at the Russian-basedsecurity company added: "The new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups co-operated at least once."

Vitaly Kamluk, the firm's chief malware expert, said: "There is a link proven - it's not just copycats.

"We think that these teams are different, two different teams working with each other, helping each other at different stages."

The findings relate to the discovery of "Resource 207", a module found in early versions of the Stuxnet malware.

It bears a "striking resemblance" to code used in Flame, Kaspersky said.

"The list includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming," Mr Gostev said.

Continue reading the main story

“

Start Quote

It's not just copycats”

Vitaly KamlukKaspersky Labs

Direct orders

Recently, a New York Times investigation - based on an upcoming book - singled out the US as being responsible for Stuxnet, under the direct orders of President Barack Obama.

The report said the threat had been developed in co-operation with Israel.

No country is yet to publicly take responsibility for the attack.

Speaking about Flame, a spokesman for the Israeli government distanced the country from involvement following an interview in which a minister seemed to back the attacks.

"There was no part of the interview where the minister has said anything to imply that Israel was responsible for the virus," the spokesman said.

'Completely separate'

Last week, the UN's telecommunications head Dr Hamadoun Toure said he did not believe the US was behind Flame, and that reports regarding the country's involvement in Stuxnet were "speculation".

Prof Alan Woodward, a security expert from the University of Surrey, described the findings as interesting - but not yet a clear indicator of who was behind the attacks.

"The fact that they shared source code further suggests that it wasn't just someone copying or reusing one bit of Stuxnet or Flame that they had found in the wild, but rather those that wrote the code passed it over," he said.

"However, everything else still indicates that Flame and Stuxnet were written designed and built by a completely separate group of developers.

"At the very least it suggests there are two groups capable of building this type of code but they are somehow collaborating, albeit only in a minor way."

Source: abc

Flame malware makers send 'suicide' code

The malware is said to have infected more than 600 specific targets

The creators of the Flame malware have sent a "suicide" command that removes it from some infected computers.

Security firm Symantec caught the command using booby-trapped computers set up to watch Flame's actions.

Flame came to light after the UN's telecoms body asked for help with identifying a virus found stealing data from many PCs in the Middle East.

New analysis of Flame reveals how sophisticated the program is and gives hints about who created it.

Clean machine

Like many other security firms Symantec has kept an eye on Flame using so-called "honeypot" computers that report what happens when they are infected with a malicious program.

Described as a very sophisticated cyber-attack, Flame targeted countries such as Iran and Israel and sought to steal large amounts of sensitive data.

Earlier this week Symantec noticed that some Flame command and control (C&C) computers sent an urgent command to the infected PCs they were overseeing.

Flame's creators do not have access to all their C&C computers as security firms have won control of some of them.

The "suicide" command was "designed to completely remove Flame from the compromised computer", said Symantec.

The command located every Flame file sitting on a PC, removed it and then overwrote memory locations with gibberish to thwart forensic examination.

"It tries to leave no traces of the infection behind," wrote the firm on its blog.

Analysis of the clean-up routine suggested it was written in early May, said Symantec.

Crypto crash

At the same time, analysis of the inner workings of Flame reveal just how sophisticated it is.

According to cryptographic experts, Flame is the first malicious program to use an obscure cryptographic technique known as "prefix collision attack". This allowed the virus to fake digital credentials that had helped it to spread.

The exact method of carrying out such an attack was only demonstrated in 2008 and the creators of Flame came up with their own variant.

"The design of this new variant required world-class cryptanalysis," said cryptoexpert Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in Amsterdam in a statement.

The finding gives support to claims that Flame must have been built by a nation state rather than cybercriminals. It is not clear yet which nation created the program.

Source: bbc