The Flame backstory keeps getting fleshed out. And the latest development is a doozy.
Researchers at security company Kaspersky Labs have discovered that portions of the Flame malware are nearly identical to parts of the famed Stuxnet worm discovered in 2010, and which was recently revealed to be part of a U.S. cyberwar effort against Iran.
The similarities of Flame to Stuxnet haven’t gone unnoticed, but it’s only today that the extent to similarities is finally being realized.
Calling the evidence “conclusive”, Kaspersky researcher Roel Schowenberg found similiaries all across the code of both operations.
For researchers, this could only mean one thing: the writers of Flame and Stuxnet were working together. And this wasn’t just a casual collaboration — the developers actually shared source code. This, Schowenberg said, is a major revelation.
“With these kind of operations, your source code is your ultimate possession — and this was shared,” Schowenberg said in an online press conference on Monday. “You don’t share your source of income.”
“This confirms our beliefs that the projects were developed in parallel, and commissioned by the same entities,” he said.
One of the links comes in the form of Resource “207”, a module used to automatically infect removable USB drives. A major component of early versions of Stuxnet, portions of the file were also discovered in Flame.
With the newest findings, Kaspersky Lab researchers have concluded that Flame predates Stuxnet, and that Flame itself was used as a platform for the Stuxnet effort. The efforts of the two teams working on the projects split in 2009, Kaspersky believes.
Schowenberg has some theories on the connection, and said that it’s possibile that Stuxnet was meant to be primarily a sabotage operation. Flame, on the other hand, was built for espionage and information acquisition.
“[It’s possible that the developers] didn’t want to mix the tools any longer than was strictly necessary,” Schowenberg said.
With every new discovery, researchers are getting not just a clearer picture of Flame, but of something much larger as well.
“If we discover something in Flame, it can tell us something about the whole organization,” Kaspersky lab researcher Vitaly Kamluk said.
All of which underscores the importance of previous findings that the Flame writers were attempting to erase the malware from infected computers. Perhaps this connection is one that the creators of both programs wanted to keep secret.
VB's research team is studying web-personalization... Chime in here, and we’ll share the results.