Skip to main content

Kaspersky: Cyberweapons Flame and Stuxnet share code

Flame malware / cyberweapon
Image used with permission by copyright holder

When word of the sophisticated Flame cyberweapon first came out a couple weeks ago, Russian security firm Kaspersky indicated that despite some superficial similarities, there was no indication Flame had much of anything in common with Stuxnet, a software weapon that specifically targeted Iran’s uranium-enrichment efforts and then escaped into the wild. Now, Kaspersky says it was wrong: The firm claims to have uncovered shared code that indicate the creators of Flame and Stuxnet at least worked together — and may even be the same people.

Flame has attracted considerable attention in security circles for its sophisticated architecture the enables attackers to install modules tailored to their interest in a particular systems. Various modules appear to perform “normal” malware tasks like scanning through users’ files and logging keystrokes; Flame modules have also been found that appear to take screenshots, turn on audio microphones to record audio, and even poll nearby Bluetooth devices for contacts and other information.

The evidence? Back when Stuxnet was roaming free, Kaspersky’s automated systems picked up on something that looked like a Stuxnet variant. When Kaspersky’s staff initially looked at it, they couldn’t really understand why their systems thought it was Stuxnet, assumed it was an error, and reclassified it under the name “Tocy.a.” When Flame, appeared, however, Kaspersky went back to look for things that might link Flame to Stuxnet — and, lo and behold, there the Tocy.a variant that didn’t make any sense. In light of Flame, Kaspsersky says Tocy.a actually makes more sense: it’s an early version of a plug-in module for Flame that implements what (at the time) was a zero-day privilege escalation exploit in Windows. Tocy.a wandered into Kaspersky’s systems all the way back in October 2010, and contains code that can be traced to 2009.

“We think it’s actually possible to talk about a ‘Flame’ platform, and that this particular module was created based on its source code,” wrote Kaspersky’s Alexander Gostev.

If Kaspersky’s analysis is correct, it would indicate the “Flame platform” was already up and running by the time the original Stuxnet was created and set loose back in early-to-mid 2009. The approximate dating is possible because the proto-Flame code only appears in the first version of the Stuxnet worm: It vanished from two subsequent versions of Stuxnet that appeared in 2010.

Kaspersky infers that the highly-modular Flame platform proceeded on a different development path from Stuxnet, meaning there were at least two development teams involved. But the present of that early version of a Flame module seems to indicate the Stuxnet developers had access to source code for a true zero-day Windows exploit that was (at that point) unknown to the broader security community. That means the two teams were pretty tight, at least at one point.

The New York Times has reported that Stuxnet was created as a cyberweapon by the United States and Israel in an effort to hample Iran’s uranium enrichment activities. Since the discovery of Flame and its subsequent analysis by computer security firms, Flame’s creators have apparently sent a “suicide” command to some Flame-infected systems in an effort to remove traces of the software.

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Google’s new AI generates audio soundtracks from pixels
An AI generated wolf howling

Deep Mind showed off the latest results from its generative AI video-to-audio research on Tuesday. It's a novel system that combines what it sees on-screen with the user's written prompt to create synced audio soundscapes for a given video clip.

The V2A AI can be paired with vide -generation models like Veo, Deep Mind's generative audio team wrote in a blog post, and can create soundtracks, sound effects, and even dialogue for the on-screen action. What's more, Deep Mind claims that its new system can generate "an unlimited number of soundtracks for any video input" by tuning the model with positive and negative prompts that encourage or discourage the use of a particular sound, respectively.

Read more
The Vision Pro 2 may already be dead
Apple Vision Pro

According to reports from The Information, Apple is working on a cheaper non-Pro version of the Vision Pro headset -- and hitting pause on the development of the next high-end model. These rumors come from people involved with the supply chain and manufacturing of the Vision Pro, who claim that Apple has told at least one supplier that it's stopping work on the next Vision Pro.

Just like any other Apple product with "Pro" in its name, the Vision Pro was always meant to be part of a lineup of multiple models, so it's not too much of a surprise that a cheaper model is in the works. What is surprising, however, is that there may not be a second generation of the Vision Pro released alongside it -- at least not anytime soon.

Read more
Whatever you do, don’t click this error if you see it pop up
A hacker typing on an Apple MacBook laptop, which shows code on its screen.

Hackers have devised a new, deceptive method to trick users into installing a malware named ClickFix, according to cybersecurity firm Proofpoint. The scheme involves enticing users with fake solutions to common errors in popular services such as Chrome, OneDrive, and Microsoft. Once users download and execute these "fixes" by clicking the Copy fix button, they unwittingly run a PowerShell or a Windows Run dialogue command that compromises their systems.

This dialogue installs a "root certificate" to flush the DNS cache, remove the clipboard content, show a fake message, and install an additional remote PowerShell script that does an anti-VM check before the info-stealer is installed. Various hacker groups, including those responsible for ClearFake, allegedly use this method. Proofpoint details how hackers exploit jeopardized sites by incorporating a malicious script handed over by Binance's Smart Chain contract on the blockchain to spread malware and infect susceptible Windows computers.

Read more