The Flame inside StuxnetFirst of all, let’s recap the Stuxnet story. We managed to recover just three different variants of the worm, created in June 2009, and in March and April 2010. The March 2010 variant was responsible for the greatest number of infections and was detected in June 2010 by specialists from the company VirusBlokAda in Belarus. This particular version was subjected to the most detailed analysis by anti-malware companies. Shortly afterwards, when news of Stuxnet had already become widespread, files related to its June 2009 incarnation were detected. This version, the so-called Stuxnet.A (1.0), differed considerably from the 2010 variants. The main differences were:
The Tocy storyIn October 2010, our automatic system received a sample from the wild. It analyzed the file thoroughly and classified it as a new Stuxnet variant, Worm.Win32.Stuxnet.s. With Stuxnet being such a big thing, we looked at the sample to see what it was! Sadly, it didn’t look like Stuxnet at all, it was quite different. So we decided to rename it to Tocy.a and thought “silly automatic systems!”. When Flame was discovered in 2012, we started looking for older samples that we might have received. Between samples that looked almost identical to Flame, we found Tocy.a. Going through the sample processing system logs, we noticed it was originally classified as Stuxnet. We thought, how was it possible? Why did the system think that this Flame sample was related to Stuxnet? Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to “resource 207” from Stuxnet. It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection. Going back to the story, this is how we discovered the incredible link between Flame and Stuxnet.
Resource 207Resource 207 is an encrypted DLL file that contains another PE file inside (351,768 bytes).
This particular code, which exactly matches the code in resource 207, is currently used by Flame, where it is executed by the “Autorun_infector” module.
An old 0-dayThe Stuxnet Resouce 207 Flame-module contains an Escalation of Privilege exploit and is using it at stage of infection from USB drive for injecting main Stuxnet body to system processes. This is of interest in its own right. The exploit code in the file atmpsvcn.ocx is similar to that which we, Kaspersky Lab, found in the 2010 versions of Stuxnet and which was subsequently addressed by the MS10-073 patch. The code’s style, logic and details of its implementation were the same in the 2009 and 2010 code. Clearly, these two pieces of exploit code were written by the same programmer. However, a different exploit targeting a different vulnerability, which was older and was patched by 2010, was used in the 2009 version of Stuxnet. At the time when “resource 207” was created (February 2009), the vulnerability was not publicly known and was thus, it was a true 0-day vulnerability. Essentially, the vulnerability consists of the absence of input data checking, allowing the NtUserRegisterClassExWOW() function to overwrite a WORD of data beyond the allocated memory range in win32k. The function’s address in the _gpsi structure is overwritten with the address of the shellcode in two steps. Then the NtUserMessageCall() function is called, which passes control to the shellcode with kernel-level privileges. Neither function is exported to user mode, which means that addresses and parameters for calling services directly can be found by parsing modules on disk (user32&win32k). This vulnerability description is strikingly similar to that of vulnerability “Windows Kernel Could Allow Elevation of Privilege (968537)”, which was closed in June 2009 with patch MS09-025; however, we are still analyzing the code and can’t provide a 100% confirmation of this as yet.
Our analysis suggest several important conclusions, which we summarize below:
2012 Jun 11, 19:32
http://www.prevx.com/filenames/1302415679693314105-X1/DAT3B.TMP.EXE.html -- related?
2012 Jun 11, 19:32
Alex: Did you get personal security (bodyguard) as analyze this software is quite risky.
2012 Jun 11, 20:02
This so called "Bundestrojaner" appeared in Germany has similiar functionality as Flame. Corelated?
Re: Re: Bundestrojaner
I think you missed something...
Re: Re: Re: Bundestrojaner
indeed, is a special case; doubt that it has a large population
GEMA Ransirac more...
I have studied the FLAME virus not from its technical implementations, but from a psychological analasys point of view, I have to conclude this.
looking at the big picture, there are only three nations in the world who can achieve this kind of coop work.
A contractor certainly was involved making FLAME happen in the first place.
The three nations I am talking about is Germany at number 1 as prime suspect with the scientific expert knowledge of designing(BND), the second suspect would be the United Kingdom for security and quality assurance(Secret Service aka MI6), and the third suspect would be the Israel Secret Agency Mossad perhaps for distripution.
The brain behind the espionage project can be no other than the USA NSA. A coop link to Russia is as far as I am concerned out of scope. Neither Japan (I think).
My assumptions are based on historical data how secret agencies act and implement and develop strategies.
At this point it is theory at best, but we are against something too big to ever find out who it was.
What we need is global awareness that such things never will stop. In fact, these things will get even worst. What we have seen with FLAME, is not even the tip of the iceberg.
2012 Jun 11, 21:31
Stuxnet dropper -
2012 Jun 12, 00:02
First team base in US and second Israel...
2012 Jun 12, 15:43
Hands up, you and your team are great! I love reading this, please keep up the good work Aleks!
2012 Jun 13, 03:01
Looking at the cute file names in Flame, I would characterize them all as mild slang that only a female native American speaker -- the project coordinator -- would use. These are not the words of a person raised in Australia, Canada, Ireland, New Zealand or the British Isles and certainly not of someone who spoke English as a second language. (Of course that person could have emigrated to another country long before Flame was underway.)
Re: and 1 more question
* "... the cute file names ... that only a female native American speaker ... would use."
: True, but not necessarily female
* "... every security software firm in the world saying they caught it years ago, followed by silence about their largest single customer, the government, who would have been really really annoyed by a 2010 announcement."
: True, sadly
After all I read about 'Flame-Deployment',like...
1) 'Yet Not Closed Security-holes' in Windows (let open deliberately)
2) Additional 'Faked/Stolen' Microsoft certificates
3) Some 6 to 10MB package-downloads from faked Microsoft update-servers (initial infection, not network)
... so, after that and similar strange information from other sites, including their own stupid justifications, my question is:
"What exactly is MICROSOFT(c) doing there?"
or "Why is the CIA visiting all the time?"
or even "What has Microsoft Update to do with HOME SECURITY?"
Good Night, and Good Luck
Edited by Apira Prima, 2012 Jul 18, 03:41