Flame Existed Before Stuxnet; Both Are Related!
The Flame platform already existed when Stuxnet was created in early 2009. The under cover 'resource 207' links Flame to Stuxnet.
In-depth research, conducted by Kaspersky Lab's experts, has revealed that Stuxnet and Flame are connected to each other in early development stage. "By the time Stuxnet was created in early 2009, the Flame platform was already in existence. The Stuxnet code of 2009 used a module built on the Flame platform, probably created specifically to operate as part of Stuxnet," said Aleks Gostev, chief security expert, Global Research and Analysis Team, Kaspersky Lab.
The Flame cyber espionage worm affected major Middle East countries like Iran, Lebanon, Syria, Israel, Sudan, Egypt and Saudi Arabia. Previously EFYTimes.com had reported that Flame was a new species of cyber weapon that took birth recently, but research reveals that Flame is much more complex than Duqu and after 2009, the evolution of the Flame platform continued independently from Stuxnet.
Experts from Kaspersky Lab found out the main differences in the three different variants of the Stuxnet worm, created in June 2009, and in March and April 2010. Firstly, the 2009 variant didn't use the MS10-046 LNK file vulnerability. Secondly, in 2009, Stuxnet only had one driver file; in 2010 there were two (the second was added specifically to work with the LNK vulnerability). Finally, Stuxnet used a special trick with the 'autorun.inf' file to infect USB drives.
All the other differences involve minor modifications to Stuxnet's internal structure â€“ some modules were deleted and their functions transferred to other modules. The most significant of those changes involved 'resource 207'. Resource 207 is 520,192 bytes in size and can be found in the 2009 version of Stuxnet. It was later dropped altogether in the 2010 version, when its code was merged into other modules.
Map of resources in Stuxnet 2009
"In October 2010, our automatic system received a sample and on inspection it was classified as a new Stuxnet variant, Worm.Win32.Stuxnet.s. With Stuxnet being such a big thing, we looked at the sample to see what it was! Sadly, it didn't look like Stuxnet at all, it was quite different. So we decided to rename it to Tocy.a and thought. When Flame was discovered in 2012, we started looking for older samples that we might have received. Between samples that looked almost identical to Flame, we found Tocy.a," said Gostev.
"Going through the sample processing system logs, we noticed it was originally classified as Stuxnet. Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to 'resource 207' from Stuxnet. It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection. This is how we discovered the incredible link between Flame and Stuxnet," added Gostev.