Development timeline key to linking Stuxnet, Flame malware

Both used the same zero-day Windows bugs, say experts, but the devil is in the chronology

Nailing down a timeline for the development of Flame, the new super-cyber spying malware recently found infecting PCs in Iran and other Middle Eastern countries, will be critical to connecting the dots between it, Stuxnet and Duqu, experts said today.

Flame, as the espionage tool has been named, is a massive piece of malware -- 20 to 40 times larger than Stuxnet -- that infiltrates networks, scouts out the digital landscape, then uses a variety of modules to pilfer information.

What researchers are trying to determine is not only how Flame works -- an effort that will take months -- but how it fits with other malware that experts believe targeted Iran, a country at odds with the West over its nuclear program.

In particular, two earlier-discovered threats: Stuxnet, which most have concluded was created to sabotage Iran's uranium-enrichment facilities, and Duqu, an intelligence-gathering tool many believe was used to pinpoint targets for Stuxnet.

"The most interesting thing about Flame is its possible relationship to Stuxnet," said Roel Schouwenberg, a senior researcher with Moscow-based antivirus company Kaspersky Lab. "The timelines [of the two] will play a big part in any analysis."

Liam O Murchu, director of operations for Symantec's security response center, agreed. "The timeline is very important," said O Murchu.

Both Kaspersky and Symantec are busy digging into Flame, and the two companies were instrumental in deciphering Stuxnet two years ago. They're perfectly positioned to draw conclusions about the two pieces of malware, and any connections between the pair.

Although Stuxnet was first discovered by researchers in mid-2010, Symantec traced its first attack to June 2009, with follow-up campaigns launched in March and April 2010.

Duqu, meanwhile, may have been created as early as 2007 or 2008, even though evidence of attacks by the malware can be tracked only as far back as August 2011.

So where does Flame fit in?

"We looked at our telemetry, and we see evidence of Flame in 2010," said O Murchu. "But it's very possible it goes back further than that."

Kaspersky could trace Flame back about that far, too.

"We've confirmed it in 2010, but there's some circumstantial evidence that goes back to 2007," said Schouwenberg.

What Schouwenberg called "circumstantial" was first raised by CrySyS Lab at the Budapest [Romania] University of Technology and Economics, in a first-impressions analysis of Flame published Monday ( download PDF). CrySyS cited a 2007 appearance of Flame's main component as possible proof of an early development date.

"[Flame] may have been active for as long as five to eight years, or even more," CrySyS asserted.

Those earlier dates have not been confirmed by either Kaspersky or Symantec, however, in part because Flame spoofs its file creation and code compilation time and date stamps.

Chronology is important because of the Windows vulnerabilities that both Stuxnet and Flame exploited.

Stuxnet was remarkable in part because it used exploits of multiple "zero-day" bugs in Windows -- ones which had not been patched by the time the malware was discovered -- and Flame leveraged some of the same bugs, including ones in Windows shortcuts and the print spooler, which Microsoft patched in August and September 2010, respectively.

If Flame's origin can be traced to before Stuxnet's discovery, the use of the zero-day vulnerabilities would link the two pieces of malware. It's very unlikely that two groups would have found, then used so many identical Windows bugs.

One thing's not in contention. Kaspersky and Symantec each are convinced that Stuxnet and Flame were built by different teams.

There's little to no similarity between the two pieces of malware.

"Stuxnet and Duqu were created on the same [development] platform, but they have nothing in common with Flame," said Schouwenberg. "There's absolutely nothing in common. Stuxnet/Duqu and Flame use completely different development philosophies."

But the then-unpatched bugs may connect the dots.

In fact, Schouwenberg is sure that they do. "The exploits being used by Flame, and that it's spread through USB devices, those are identical to what we found in Stuxnet," he said. "So we definitely think that Stuxnet and Flame were parallel operations. Whoever was behind this contracted two different teams or companies, which then came up with different solutions."

In that scenario, the two teams -- one to create Stuxnet, another to build Flame -- were hired by the same person, people, group or government around the same time, with each team provided the same zero-day vulnerabilities.

Most security experts at least suspect -- if they haven't already jumped to the conclusion -- that Flame was backed by a government.

"It's difficult to say for certain because you never know who is behind these things, but all the indicators are that [Flame] was state-sponsored," said O Murchu, who cited the complexity of the malware, its size and multiple modules, and the apparent interest in Iran as reasons for his assumption.

Schouwenberg didn't disagree.

"The complexity of the malware, the size of the malware, the size of the operation, it would take very, very serious funding to pull this off," said Schouwenberg. "Flame [stole] a huge amount of data, and it couldn't be gone through with a few guys. It had to be a huge operation and involve a lot of people."

Traditional hacker groups are much leaner, and can't afford the manpower to create malware that results in massive amounts of information that must be organized, analyzed and acted upon.

"The manpower needed to do this would add to the entire operation's cost," Schouwenberg added.

But if the timelines are such that it looks like Flame was created after the bugs exploited by Stuxnet went public, well, then all bets are off: The Flame team could have simply used what had been disclosed to make their own exploits of the vulnerabilities, standing on the shoulders of Stuxnet.

"We're going to have to spend a lot of time analyzing Flame before we know for certain," said O Murchu.

Kaspersky and Symantec have pledged to publish more information about Flame as they find it.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleGoogleKasperskyKasperskyMicrosoftSymantecTechnologyTopicWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts