New details on Flame tie it to earlier cyberattacks

Researchers have found some similarities between Flame and Stuxnet/Duqu, while Iran says the malware was used in the April cyberattacks on its oil industry.

Analysis of the recently discovered Flame spyware will take some time, owing to its unusually large size, but security researchers have found some similarity to Stuxnet and Duqu, and they think that it may have come from the same source.

And although Flame has been described as information-gathering malware, Iran is now saying that it was behind the attacks in April on its oil industry, which prompted the country to take six refineries offline, Time reported.

The majority of Flame infections have been found in Iran and the Palestinian West Bank, with others in Hungary and Lebanon, along with some reports of infections in Austria, Russia, Hong Kong and the United Arab Emirates.

Related coverage:

Iran says Flame virus threatens its national security

Kaspersky Lab researcher Roel Schouwenberg told the New York Times that, “We believe Flame was written by a different team of programmers but commissioned by the same larger entity.” That larger entity is likely a state-sponsored program, though Schouwenberg did not speculate on which country or countries could be involved.

But the fact that they share exploits has led Kaspersky researchers to believe that they are linked, Dark Reading reported. The CrySyS Lab at the Budapest University of Technology and Economics, which dubbed the malware sKyWIper, agreed in a report on the malware, saying “sKyWIper and Duqu are two independent implementations developed for the same requirement specifications."

Stuxnet, which appeared in 2010, is a highly targeted worm that spread widely but had a specific purpose, disrupting uranium processing in Iran by taking control of a processing plant’s centrifuges.

Flame, a multifaceted information-gathering program that can steal documents, record audio (such as Skype calls), take screen shots and sift through e-mails and text messages, also has primarily targeted computers in Iran. It appears to be aimed at a relatively small number of targets, currently counted at about 600, and mostly aimed at individuals, despite the attack on Iran’s oil refineries.

Duqu, like Flame a program designed to steal information rather than do damage, also reportedly was found roaming in Iran’s nuclear program, among networks in other places.

Security experts have cited other similarities, including Flame having a modular design like Duqu, which allows for modules to be added, and similar exploits to those used by Stuxnet. Robert Lee, an Air Force cyberspace officer writing in SC Magazine, said Flame and Stuxnet both use the MS10-061 print spool vulnerability exploit, for instance.

Another possible similarity between Flame and Duqu, the Times reported, was the use of character names from movies. “Beetlejuice” is the command Flame uses for communicating with Bluetooth devices, for example, and a Duqu-infecting e-mail once came from “Mr. Jason B.,” possibly a reference to Jason Bourne.

Similarities among the malware programs don’t necessarily mean they came from the same place, since malware can be reused and attacks can be spoofed. But some reports already have pointed to Israel, although the country has denied involvement, the BBC reported. Many security researchers have speculated that the United States and/or Israel was behind Stuxnet.

Aside from the difficult — perhaps even impossible — task of attributing its source, researchers are also trying to determine how long Flame as been around. The CrySyS Lab said that some elements of Flame were identified in December 2007, and that modules could have been added since.

Flame is a huge malware kit, taking up some 20 megabytes, about 20 times the size of Stuxnet. It took researchers months to fully analyze Stuxnet, and they expect Flame to occupy them a bit longer.

Meanwhile, the malware’s operators appear to be trying to cover their tracks, reportedly shutting down Flame’s 80 or so command-and-control servers.