Development timeline key to linking Stuxnet, Flame malware
Both used the same zero-day Windows bugs, say experts, but the devil is in the chronology
Computerworld - Nailing down a timeline for the development of Flame, the new super-cyber spying malware recently found infecting PCs in Iran and other Middle Eastern countries, will be critical to connecting the dots between it, Stuxnet and Duqu, experts said today.
Flame, as the espionage tool has been named, is a massive piece of malware -- 20 to 40 times larger than Stuxnet -- that infiltrates networks, scouts out the digital landscape, then uses a variety of modules to pilfer information.
What researchers are trying to determine is not only how Flame works -- an effort that will take months -- but how it fits with other malware that experts believe targeted Iran, a country at odds with the West over its nuclear program.
In particular, two earlier-discovered threats: Stuxnet, which most have concluded was created to sabotage Iran's uranium-enrichment facilities, and Duqu, an intelligence-gathering tool many believe was used to pinpoint targets for Stuxnet.
"The most interesting thing about Flame is its possible relationship to Stuxnet," said Roel Schouwenberg, a senior researcher with Moscow-based antivirus company Kaspersky Lab. "The timelines [of the two] will play a big part in any analysis."
Liam O Murchu, director of operations for Symantec's security response center, agreed. "The timeline is very important," said O Murchu.
Both Kaspersky and Symantec are busy digging into Flame, and the two companies were instrumental in deciphering Stuxnet two years ago. They're perfectly positioned to draw conclusions about the two pieces of malware, and any connections between the pair.
Although Stuxnet was first discovered by researchers in mid-2010, Symantec traced its first attack to June 2009, with follow-up campaigns launched in March and April 2010.
Duqu, meanwhile, may have been created as early as 2007 or 2008, even though evidence of attacks by the malware can be tracked only as far back as August 2011.
So where does Flame fit in?
"We looked at our telemetry, and we see evidence of Flame in 2010," said O Murchu. "But it's very possible it goes back further than that."
Kaspersky could trace Flame back about that far, too.
"We've confirmed it in 2010, but there's some circumstantial evidence that goes back to 2007," said Schouwenberg.
What Schouwenberg called "circumstantial" was first raised by CrySyS Lab at the Budapest [Romania] University of Technology and Economics, in a first-impressions analysis of Flame published Monday (download PDF). CrySyS cited a 2007 appearance of Flame's main component as possible proof of an early development date.
"[Flame] may have been active for as long as five to eight years, or even more," CrySyS asserted.
Those earlier dates have not been confirmed by either Kaspersky or Symantec, however, in part because Flame spoofs its file creation and code compilation time and date stamps.
Chronology is important because of the Windows vulnerabilities that both Stuxnet and Flame exploited.
Stuxnet was remarkable in part because it used exploits of multiple "zero-day" bugs in Windows -- ones which had not been patched by the time the malware was discovered -- and Flame leveraged some of the same bugs, including ones in Windows shortcuts and the print spooler, which Microsoft patched in August and September 2010, respectively.
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- South Korea cyberattacks hold lessons for U.S.
- U.S. military networks not prepared for cyberthreats, report warns
- Return of CISPA: Cybersecurity boon or privacy threat?
- New report says cyberspying group linked to China's army
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts