although 2 teams worked on Stuxnet and Flame, programmers "cooperated at least once¨

[h3rm35]

Related:
US officials confirm Stuxnet was a joint US-Israeli op
http://concen.org/forum/showthread.php?tid=45937

Original URL: http://www.theregister.co.uk/2012/06/12/...searchers/

Source code smoking gun links Stuxnet AND Flame
Kaspersky: Devious cyber-weapons share software DNA

By Team Register

A direct link exists between the infamous uranium enrichment sabotage worm Stuxnet and the newly uncovered Flame mega-malware, researchers have claimed.

Russian virus protection outfit Kaspersky Lab said in a blog post yesterday [1] that although two separate teams worked on Stuxnet and Flame, the viruses' programmers "cooperated at least once during the early stages of development".

The smoking gun, in the lab's opinion, is a component in an early build of Stuxnet that appears in Flame as a plugin.

The New York Times [2] revealed this month that Stuxnet's infiltration of Iran's nuclear programme, and subsequent knackering of the Middle East nation's uranium centrifuges, was a joint effort by US and Israel. The project, publicly uncovered in June 2010, was initiated by the Bush administration and continued under President Barack Obama.

Stuxnet, which notoriously exploited previously unknown security vulnerabilities in Microsoft Windows to gain access to industrial control systems, was long believed to be state-sponsored and developed by an American-Israeli alliance.

Meanwhile the Flame malware - a sophisticated data-stealing worm that has also been burning through computers in the Middle East and beyond - was active for up to two years before being unearthed by security experts in May this year. A self-destruct command was issued to the espionage virus by its shadowy handlers last week, and to us on the security desk at Vulture Central that sounds an awful lot like a James Bond mission gone wrong.

Here's a quick rundown of what Kaspersky Lab found during its research:

- A module from the early 2009-version of Stuxnet, known as "Resource 207", was actually a Flame plugin.
- This means that when the Stuxnet worm was created in the beginning of 2009, the Flame platform already existed, and that in 2009, the source code of at least one module of Flame was used in Stuxnet.
- This module was used to spread the infection via USB drives. The code of the USB drive infection mechanism is identical in Flame and Stuxnet.
- The Flame module in Stuxnet also exploited a vulnerability which was unknown at the time and which enabled escalation of privileges, presumably MS09-025 [3].
- Subsequently, the Flame plugin module was removed from Stuxnet in 2010 and replaced by several different modules that utilized new vulnerabilities.
- Starting from 2010, the two development teams worked independently, with the only suspected cooperation taking place in terms of exchanging the know-how about the new 'zero-day' vulnerabilities.

Importantly, according to Kaspersky Lab's investigation, the Resource 207 module - an encrypted DLL file - contained a 341,768-byte executable file named atmpsvcn.ocx that has lots in common with the code used in the Flame malware.

"The list of striking resemblances includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming," the security experts added.

Kaspersky Lab's chief boffin Alexander Gostev noted that completely different development platforms had been used to craft the separate viruses.

"The projects were indeed separate and independent from each other. However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected,” he said.

A technical look at how researchers spotted Flame's code nesting in the early Stuxnet version is available here [4].
Links

http://www.kaspersky.co.uk/about/news/vi..._connected
http://www.nytimes.com/2012/06/01/world/...ted=1&_r=2
http://technet.microsoft.com/en-us/secur...n/MS09-025
http://www.securelist.com/en/blog?weblogid=208193568

[h3rm35]

also related:
Stuxnet
http://concen.org/forum/showthread.php?tid=35110[/b]

[h3rm35]

Original URL: http://www.theregister.co.uk/2012/06/20/...ael_flame/
Flame was scout ahead of Stuxnet attack on Iran nukes - US spooks

Israel blamed for cyberweapons' escape into the wild

By John Leyden

Posted in Government, 20th June 2012 11:58 GMT

Flame was created by the US and Israel in order to collect intelligence on Iranian computer networks as part of the same covert operation that spawned Stuxnet.

Anonymous US officials told [1] the Washington Post that Flame was created as part of of the secret programme codenamed Olympic Games. Flame was designed as a means to map Iranian networks, as part of a reconnaissance mission to map closed computer networks that served as a prelude to the sabotage of systems at Uranium nuclear enrichment facilities carried out by Stuxnet.

The news that the US and Israel were behind Flame follows weeks after a similar confirmation that the two countries cooked up Stuxnet. Neither revelation came as a particular surprise since both strains of malware bore the hallmarks of a state-sponsored attack, cooked up by intelligence agencies or perhaps military sub-contractors rather than anything that might have been developed by either cybercrooks or politically-motivated hacktivists.

Flame was developed around five years ago as part of a classified US-Israeli effort designed to slow down Iran’s nuclear programme, reducing the pressure for a conventional military attack that would undoubtedly inflame tension in the Middle East.

Stuxnet and Flame are both elements of a broader and ongoing cyber-assault, one former high-ranking U.S. intelligence official told the Washington Post. Although Stuxnet and Flame can be countered "it doesn’t mean that other tools aren’t in play or performing effectively," he said.

Key agencies in the development of Stuxnet included the CIA’s Information Operations Center, the NSA and an Israel Defence Forces intelligence formation known as Unit 8200.

However despite working together to develop "cyberweapons" the US and Israel have not always co-ordinated their attacks. The Washington Post sources blame assaults on Iran’s Oil Ministry and oil-export facilities launched by Israel in April for the discovery of Flame. Israel was also blamed for changes in Stuxnet that meant it spread from the compromised laptop of an Iranian nuclear technician onto the internet.

Intelligence agencies from both Israel and the US are also using more conventional spycraft to screw up the supply of hi-tech components necessary to sustain Iran's controversial nuclear program, for example by making sure the high speed centrifuges supplied to the country are often faulty.

Last week, researchers with Kaspersky Lab reported that Flame was created by a group that must have collaborated with whoever created Stuxnet. A component in an early build of Stuxnet appears in Flame as a plugin. Despite this link Stuxnet and Flame are not close relatives. However Stuxnet uses the same programming building blocks as Duqu, another information stealing cyberweapon.

Neither the US or Israel has claimed responsibility for the creation of Duqu, as yet.
Links

http://www.washingtonpost.com/world/nati...ory_1.html