Flame and Stuxnet, the two famous malwares showed growing examples of how artifical life is being deployed in cyber warfare. The two malwares, hard-coded to accomplish the mission, affected the middle-easter countries and also Iran as a main target. The two malware pretended to be pretty different. Flame was heavily coded with 20 MB of code, where Stuxnet was bit low as compared to Flame. Flame was coded in a less familiar language, as compared to Stuxnet. Researchers spend a lot of time with Flame, and have finally put up some similar points.
Researcher from Kaspersky Lab have demonstrated that they’re very much related to each other, or at least they have been at some point in time. They say that Flame was developed no later than the summer of 2008, while Stuxnet only emerged in the first half of the next year. They assume that two independent teams have been building their own malware since 2007-2008, but in 2009 the creators of Stuxnet borrowed a little something from Flame called resource 207. Resource 207 was a component that allowed Stuxnet to spread to USB drives via the infamous autorun.inf file. It also allowed it to exploit a zero-day in win32k.sys to escalate its privileges. Further analysis has shown that resource 207 is actually an encrypted DLL that contains a portable executable file which is actually a Flame plugin.Spreading via autorun.inf is another trick that the Stuxnet 2009 version and the current variants of Flame have in common. Resource 207 operates as an infector of removable drives, copying ‘Flame’ module as ‘autorun.inf’ file to removable media and adding a special real autorun.inf file at end of PE file they said. Th blog post can be read here. More analysis may result in more similarities, but it seems the two malware teams took something from each other. Stay tuned as we keep an eye on the other part.
