When the piece of malware given the name “Flame” was found last month, initial analysis indicated that it did not share code with Stuxnet and Duqu, two previously discovered programs also directed at Iran and other nations in the Middle East. However, researchers at the Kaspersky Lab have found that a chunk of early Stuxnet code called “resource 207” is also found in Flame, which indicates a connection between the authors of both programs.
An early version of Stuxnet from 2009 included the resource 207 module, which helped spread the virus to new machines via USB drives by exploiting a then-unknown security flaw in the Microsoft Windows operating system. The later incarnation of Stuxnet could accomplish the same task with different sections of code, and resource 207 was discarded. But when Kaspersky Lab researchers began studying an early module of Flame, they found its code bore a strong resemblance to Stuxnet’s resource 207. They believe that Flame was created first (which means it must date back to at least 2009), and its module lent a hand to the early stages of Stuxnet until the younger malware had been developed enough to stand on its own.
This similarity does not indicate that Flame and Stuxnet had the same programmers—while Stuxnet and Duqu share the same computing platform, Flame has a different architecture and uses different methods to infect computers. But although the authors of each program worked independently, they shared information at least once, and they may have cooperated on more than just resource 207, perhaps trading information on other Microsoft vulnerabilities.
The New York Times recently reported that Stuxnet was developed by the U.S. and Israel (in a secret project named “Olympic Games”) to interfere with Iran’s nuclear-enrichment facilities. Thus far, the source of Flame has not been pinned down.
[via Ars Technica]