Skip to main content

Researchers find 'missing link' between Flame and Stuxnet malware

Researchers find 'missing link' between Flame and Stuxnet malware


In examining an earlier version of Stuxnet, cybersecurity experts at Kaspersky Lab have found a previously overlooked module that reveals the "missing link" between the infamous state-sponsored cyberweapon and the newly-discovered "Flame" malware.

Share this story

When cybersecurity experts at Russia's Kaspersky Lab first uncovered Flame, the computer espionage worm infecting thousands of systems throughout the Middle East, they claimed that it "has no major similarities with Stuxnet," the reportedly US / Israeli-developed cyberweapon that began targeting Iranian nuclear facilities in 2009. But in examining an earlier version of Stuxnet, the lab's researchers now find that they were wrong: a previously overlooked module within the virus is now providing the "missing link" between the two pieces of malware.

"It was actually so similar, that it made our automatic system classify it as Stuxnet"

The module in question is "resource 207," an encrypted DLL file containing another file 351,768 bytes in size that Kaspersky's researchers say matches very closely with a module used by an early version Flame. "It was actually so similar, that it made our automatic system classify it as Stuxnet," wrote Alexander Gostev in an in-depth post about the lab's most recent findings, indicating that the module was likely the seed of both viruses. "We think it’s actually possible to talk about a ‘Flame’ platform, and that this particular module was created based on its source code."

Also found was a previously overlooked zero-day exploit that opens attack vectors by elevating user permissions. The exploit was removed in later versions of Stuxnet, but was only discovered now due to the fact that most of the research being done on the virus was examining its newer 2010 version. Microsoft patched the vulnerability in early June 2009, several weeks before Stuxnet is believed to have been launched.

The new evidence suggests that Stuxnet and Flame are two sides of the same coin, with the former built for sabotage and the latter for surveillance. But researchers also say that the Flame platform pre-dated Stuxnet and its sister, Duqu, and was likely built in the Summer of 2008. "We believe that source code was used, rather than complete binary modules," writes Gostev. "Since 2010, the platforms have been developing independently from each other, although there has been interaction at least at the level of exploiting the same vulnerabilities."