Flame was here before Stuxnet, but researchers didn’t know that until now

Jun 11, 2012 14:27 GMT  ·  By

If up until now security researchers haven’t been able to find any direct connection between the new Flame and Stuxnet, further analysis has demonstrated that they’re very much related to each other, or at least they have been at some point in time.

Initially, experts didn’t consider the two pieces of malware related because Stuxnet (and Duqu) were created based on the Tilded platform, while Flame was not.

However, as it turns out, a particular component from Flame was used by Stuxnet to infect Iranian computers back in 2009.

Kaspersky researchers reveal that Flame was developed no later than the summer of 2008, while Stuxnet only emerged in the first half of the next year.

They assume that two independent teams have been building their own malware since 2007-2008, but in 2009 the creators of Stuxnet borrowed a little something from Flame called “resource 207.”

Resource 207 was a component that allowed Stuxnet to spread to USB drives via the infamous autorun.inf file. It also allowed it to exploit a zero-day in win32k.sys to escalate its privileges.

Further analysis has shown that “resource 207” is actually an encrypted DLL that contains a portable executable file which is actually a Flame plugin.

“Spreading via autorun.inf is another trick that the Stuxnet 2009 version and the current variants of Flame have in common. Resource 207 operates as an infector of removable drives, copying ‘Flame’ module as ‘autorun.inf’ file to removable media and adding a special real autorun.inf file at end of PE file,” Kaspersky's Alexander Gostev explained.

Back in 2010, Kaspersky’s systems appointed a particular threat as being a new Stuxnet variant, but at the time it didn’t seem plausible, so they thought it was a system error, named it Tocy.a, and forgot about it.

Finally, the experts believe that in 2010 the developers of Stuxnet removed the module because they enhanced the malware to spread via the MS10-046 vulnerability, instead of relying on autorun.inf.