Development timeline key to linking Stuxnet, Flame malware

Both used the same zero-day Windows bugs, say experts, but the devil is in the chronology

Nailing down a timeline for the development of Flame, the new super-cyber spying malware recently found infecting PCs in Iran and other Middle Eastern countries, will be critical to connecting the dots between it, Stuxnet and Duqu, experts said today.

Flame, as the espionage tool has been named, is a massive piece of malware -- 20 to 40 times larger than Stuxnet -- that infiltrates networks, scouts out the digital landscape, then uses a variety of modules to pilfer information.

What researchers are trying to determine is not only how Flame works -- an effort that will take months -- but how it fits with other malware that experts believe targeted Iran, a country at odds with the West over its nuclear program.

In particular, two earlier-discovered threats: Stuxnet, which most have concluded was created to sabotage Iran's uranium-enrichment facilities, and Duqu, an intelligence-gathering tool many believe was used to pinpoint targets for Stuxnet.

"The most interesting thing about Flame is its possible relationship to Stuxnet," said Roel Schouwenberg, a senior researcher with Moscow-based antivirus company Kaspersky Lab. "The timelines [of the two] will play a big part in any analysis."

Liam O Murchu, director of operations for Symantec's security response center, agreed. "The timeline is very important," said O Murchu.

Both Kaspersky and Symantec are busy digging into Flame, and the two companies were instrumental in deciphering Stuxnet two years ago. They're perfectly positioned to draw conclusions about the two pieces of malware, and any connections between the pair.

Although Stuxnet was first discovered by researchers in mid-2010, Symantec traced its first attack to June 2009, with follow-up campaigns launched in March and April 2010.

Duqu, meanwhile, may have been created as early as 2007 or 2008, even though evidence of attacks by the malware can be tracked only as far back as August 2011.

So where does Flame fit in?

"We looked at our telemetry, and we see evidence of Flame in 2010," said O Murchu. "But it's very possible it goes back further than that."

Kaspersky could trace Flame back about that far, too.

"We've confirmed it in 2010, but there's some circumstantial evidence that goes back to 2007," said Schouwenberg.

What Schouwenberg called "circumstantial" was first raised by CrySyS Lab at the Budapest [Romania] University of Technology and Economics, in a first-impressions analysis of Flame published Monday ( download PDF). CrySyS cited a 2007 appearance of Flame's main component as possible proof of an early development date.

"[Flame] may have been active for as long as five to eight years, or even more," CrySyS asserted.

Those earlier dates have not been confirmed by either Kaspersky or Symantec, however, in part because Flame spoofs its file creation and code compilation time and date stamps.

Chronology is important because of the Windows vulnerabilities that both Stuxnet and Flame exploited.

Stuxnet was remarkable in part because it used exploits of multiple "zero-day" bugs in Windows -- ones which had not been patched by the time the malware was discovered -- and Flame leveraged some of the same bugs, including ones in Windows shortcuts and the print spooler, which Microsoft patched in August and September 2010, respectively.

If Flame's origin can be traced to before Stuxnet's discovery, the use of the zero-day vulnerabilities would link the two pieces of malware. It's very unlikely that two groups would have found, then used so many identical Windows bugs.

One thing's not in contention. Kaspersky and Symantec each are convinced that Stuxnet and Flame were built by different teams.

There's little to no similarity between the two pieces of malware.

"Stuxnet and Duqu were created on the same [development] platform, but they have nothing in common with Flame," said Schouwenberg. "There's absolutely nothing in common. Stuxnet/Duqu and Flame use completely different development philosophies."

But the then-unpatched bugs may connect the dots.

In fact, Schouwenberg is sure that they do. "The exploits being used by Flame, and that it's spread through USB devices, those are identical to what we found in Stuxnet," he said. "So we definitely think that Stuxnet and Flame were parallel operations. Whoever was behind this contracted two different teams or companies, which then came up with different solutions."

In that scenario, the two teams -- one to create Stuxnet, another to build Flame -- were hired by the same person, people, group or government around the same time, with each team provided the same zero-day vulnerabilities.

Most security experts at least suspect -- if they haven't already jumped to the conclusion -- that Flame was backed by a government.

"It's difficult to say for certain because you never know who is behind these things, but all the indicators are that [Flame] was state-sponsored," said O Murchu, who cited the complexity of the malware, its size and multiple modules, and the apparent interest in Iran as reasons for his assumption.

Schouwenberg didn't disagree.

"The complexity of the malware, the size of the malware, the size of the operation, it would take very, very serious funding to pull this off," said Schouwenberg. "Flame [stole] a huge amount of data, and it couldn't be gone through with a few guys. It had to be a huge operation and involve a lot of people."

Traditional hacker groups are much leaner, and can't afford the manpower to create malware that results in massive amounts of information that must be organized, analyzed and acted upon.

"The manpower needed to do this would add to the entire operation's cost," Schouwenberg added.

But if the timelines are such that it looks like Flame was created after the bugs exploited by Stuxnet went public, well, then all bets are off: The Flame team could have simply used what had been disclosed to make their own exploits of the vulnerabilities, standing on the shoulders of Stuxnet.

"We're going to have to spend a lot of time analyzing Flame before we know for certain," said O Murchu.

Kaspersky and Symantec have pledged to publish more information about Flame as they find it.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleGoogleKasperskyKasperskyMicrosoftSymantecTechnologyTopicWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

More videos

Blog Posts