Username: Save?
Password:
Home Forum Links Search Login Register*
    News: Welcome to the TechnoWorldInc! Community!
Recent Updates
Will iPhones cost more be...
by Saniya Abraham
[April 12, 2025, 01:54:20 PM]
OpenAI sues Elon Musk cla...
by Saniya Abraham
[April 12, 2025, 01:54:20 PM]
Microsoft rolls out AI sc...
by Saniya Abraham
[April 12, 2025, 01:54:20 PM]
Everyone's jumping on the...
by Saniya Abraham
[April 12, 2025, 01:54:20 PM]
From chatbots to intellig...
by Saniya Abraham
[March 12, 2025, 03:05:30 PM]
'Garbage' to blame Ukrain...
by Saniya Abraham
[March 12, 2025, 03:05:30 PM]
Google Chromecast users' ...
by Saniya Abraham
[March 12, 2025, 03:05:30 PM]
Global smartwatch sales f...
by Saniya Abraham
[March 12, 2025, 03:05:30 PM]
Court strikes down US net...
by Saniya Abraham
[January 03, 2025, 03:29:12 PM]
Tesla sales stall as Chin...
by Saniya Abraham
[January 03, 2025, 03:29:12 PM]
Nick Clegg leaves Meta ah...
by Saniya Abraham
[January 03, 2025, 03:29:12 PM]
Why Apple is offering rar...
by Saniya Abraham
[January 03, 2025, 03:29:12 PM]
Vodafone-Three merger cou...
by Saniya Abraham
[November 08, 2024, 04:31:03 PM]
Subscriptions
Get Latest Tech Updates For Free!
Resources
   Travelikers
   Funistan
   PrettyGalz
   Techlap
   FreeThemes
   Videsta
   Glamistan
   BachatMela
   GlamGalz
   Techzug
   Vidsage
   Funzug
   WorldHostInc
   Funfani
   FilmyMama
   Uploaded.Tech
   Netens
   Funotic
   FreeJobsInc
   FilesPark
Participate in the fastest growing Technical Encyclopedia! This website is 100% Free. Please register or login using the login box above if you have already registered. You will need to be logged in to reply, make new topics and to access all the areas. Registration is free! Click Here To Register.
+ Techno World Inc - The Best Technical Encyclopedia Online! » Forum » THE TECHNO CLUB [ TECHNOWORLDINC.COM ] » Techno News
 Resource 207: Kaspersky Lab Research proves that Stuxnet and Flame developers ar
Pages: [1]   Go Down
  Print  
Author Topic: Resource 207: Kaspersky Lab Research proves that Stuxnet and Flame developers ar  (Read 472 times)
RealWire
TWI Hero
**********



Karma: 0
Offline Offline

Posts: 18530


View Profile Email

UK, Abingdon, 11th June 2012 - Discovery of the Flame malware in May 2012 revealed the most complex cyber-weapon to date. At the time of its discovery, there was no strong evidence of Flame being developed by the same team that delivered Stuxnet and Duqu. The development approach of Flame and Duqu/Stuxnet was different as well, which lead to the conclusion that these projects were created by separate teams. However, the following in-depth research, conducted by Kaspersky Lab experts, reveals these teams in fact cooperated at least once during the early stages of development.

Quick facts:
• Kaspersky Lab discovered that a module from the early 2009-version of Stuxnet, known as “Resource 207,” was actually a Flame plugin.
• This means that when the Stuxnet worm was created in the beginning of 2009, the Flame platform already existed, and that in 2009, the source code of at least one module of Flame was used in Stuxnet.
• This module was used to spread the infection via USB drives. The code of the USB drive infection mechanism is identical in Flame and Stuxnet.
• The Flame module in Stuxnet also exploited a vulnerability which was unknown at the time and which enabled escalation of privileges, presumably MS09-025.
• Subsequently, the Flame plugin module was removed from Stuxnet in 2010 and replaced by several different modules that utilised new vulnerabilities.
• Starting from 2010, the two development teams worked independently, with the only suspected cooperation taking place in terms of exchanging the know-how about the new “zero-day” vulnerabilities.

Background
Stuxnet was the first cyber-weapon targeting industrial facilities. The fact that Stuxnet also infected regular PCs worldwide led to its discovery in June 2010, although the earliest known version of the malicious program was created one year before that. The next example of a cyber-weapon, now known as Duqu, was found in September 2011. Unlike Stuxnet, the main task of the Duqu Trojan was to serve as a backdoor to the infected system and steal private information (cyber-espionage).

During the analysis of Duqu, strong similarities were discovered with Stuxnet, which revealed that the two cyber-weapons were created using the same attack platform known as the “Tilded Platform”. The name originated from the preferences of the malware developers for filenames of the form “~d*.*” – hence, “Tilde-d”. The Flame malware, discovered in May 2012 following the investigation prompted by International Telecommunication Union (ITU) and conducted by Kaspersky Lab, was, at first sight, entirely different.  Some features, such as the size of the malicious program, the use of LUA programming language and its diverse functionality all indicated that Flame was not connected to Duqu or Stuxnet’s creators. However, the new facts that have emerged completely rewrite the history of Stuxnet and prove without a doubt, that the “Tilded” platform is indeed connected to the Flame platform.

New findings
The earliest known version of Stuxnet, supposedly created in June 2009, contains a special module known as “Resource 207”. In the subsequent 2010 version of Stuxnet this module was completely removed. The “Resource 207” module is an encrypted DLL file and it contains an executable file that’s the size of 351,768 bytes with the name “atmpsvcn.ocx”. This particular file, as it is now revealed by Kaspersky Lab’s investigation, has a lot in common with the code used in Flame. The list of striking resemblances includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming.

Furthermore, most sections of code appear to be identical or similar in the respective Stuxnet and Flame modules, which leads to the conclusion that the exchange between Flame and the Duqu/Stuxnet teams was done in a form of source code (i.e. not in binary form). The primary functionality of the Stuxnet “Resource 207” module was distributing the infection from one machine to another, using the removable USB drives and exploiting the vulnerability in Windows kernel to obtain escalation of privileges within the system. The code which is responsible for distribution of malware using USB drives is completely identical to the one used in Flame.

Alexander Gostev, Chief Security Expert at Kaspersky Lab, comments: “Despite the newly discovered facts, we are confident that Flame and Tilded are completely different platforms, used to develop multiple cyber-weapons. They each have different architectures with their own unique tricks that were used to infect systems and execute primary tasks. The projects were indeed separate and independent from each other. However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected”.

Further details about the investigation can be found in the article at Securelist.com. To learn more about Flame malware refer to the Flame FAQ prepared by Kaspersky Lab’s security researchers.

Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Copyright © 2006-2023 TechnoWorldInc.com. All Rights Reserved. Privacy Policy | Disclaimer
Powered by SMF 1.1.4 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks
Page created in 0.205 seconds with 23 queries.