Bride of Stuxnet
Webcraft as spycraft.
Jun 11, 2012, Vol. 17, No. 37 • By JONATHAN V. LAST
No one is sure how long Flame has been operational. There is evidence of its existence in the wild dating to March 2010, but Flame may be older than that. (Stuxnet was discovered in June 2010 and is believed to have been released 12 months before then.) It’s difficult to date Flame because its makers went to some trouble to disguise its age. Computer code typically has meta-data describing its “compilation date”—that is, the time and date it was assembled in final form. Flame’s 20 modules all have compilation dates set in 1994 and 1995. Which is impossible, because they’re written in a language that was released just a few years ago.
Neither are analysts certain exactly how Flame spreads. It has the ability to move from one computer to another by piggybacking onto a USB flash drive (just like Stuxnet). Alternately, it can migrate across a local network by exploiting a shared printer (again, like Stuxnet). But Flame is also able to spread across a network without a printer if it finds itself on a computer that has administrative privileges. When that happens, the worm is smart enough to create backdoor accounts for all the other computers on the network and copy itself into those machines.
As for the question of security—how does Flame talk its way past the computer’s antivirus protections? No one knows. The techs at Kaspersky Lab watched Flame attack a PC running the fully updated Windows 7 security suite. The worm took over the computer effortlessly. This suggests that the worm’s designers have access to one or more vulnerabilities in the operating system that even the people who designed the OS don’t know about. (Stuxnet utilized four of these so-called zero-day exploits.)
Engineers are only two weeks into the teardown, but they already believe that Flame and Stuxnet were created by different development teams. The code and workings are dissimilar. And besides, the timelines on the two projects are too close. It is estimated that coding Stuxnet required 10,000 man-hours. For a team of 30 to 50 programmers, that’s a year or two of work. The same squad simply would not have had the time to build both Stuxnet and the much larger Flame.
That said, Kaspersky Lab notes that the worms do share two interesting similarities: They use the same rootkit-based exploit to hijack USB drives and the same print-spooler vulnerability to spread over a network’s shared printer. There are three possible explanations for this: (1) The teams that developed Flame and Stuxnet discovered these identical mechanisms independently; (2) the team which developed Flame learned about them from analyzing an early version of Stuxnet; (3) the teams that developed the two worms were working in parallel, for the same organization(s), and thus were able to share information about these mechanisms.
Yet the most interesting aspect of Flame is the strategic ways it differs from Stuxnet. As a weapon, Stuxnet was a tool conceived in urgency. Every piece of malware has to balance virulence with stealth. The more aggressively a worm propagates, the more likely it is to be caught. Stuxnet was designed to spread at a fairly robust rate. Its creators wanted it to get on lots of different computers and they were willing to risk quicker discovery on the chance that the worm would find its way to the very specific system it was meant for and deliver its payload. In the end, Stuxnet’s engineers made a good trade. Because it eventually spread to 100,000 computers, Stuxnet was caught reasonably quickly. Yet this aggressive approach got it to its target—Iran’s Natanz refinery—where it wrecked at least a year’s worth of work.
Flame, on the other hand, is a study in stealth and patience. Unlike Stuxnet, with its single-minded search for a specific computer system, Flame seems to have wandered in many directions: onto computers used by governments, universities, and private companies. It moved slowly, and the overall number of infected systems seems to be quite low. Current estimates put it at 1,000 computers, nearly all of them located in Iran, the Palestinian territories, Sudan, Syria, and Lebanon. Flame kept the number of infections low because it never moved from one computer to another without explicit instructions from its C&C. According to Kaspersky Lab, the method went something like this: