Flame and Stuxnet Malware Share Source Code

Russian cybersecurity firm Kaspersky Labs has reported that the Flame virus, malware discovered in May that was found to be infecting hundreds of computers in Iran, Israel and the Middle East, shares some of the source code with Stuxnet, malware that reportedly damaged a nuclear facility in Iran and that was built by programmers in Israel and the US. An earlier version of Flame, “Toc.ya,” which was detected in October of 2010, bears numerous similarities to a portable executable file in Stuxnet, “Resource 207.” For both Flame and Stuxnet, the code had a key role: Once an infected USB stick was inserted into a computer, the code contained instructions to “autorun” the malware and thereby to install and propagate it.

Talking Points Memo describes the implications of such findings as potentially “enormous,” especially due to the recent report (first appearing in the New York Times) linking Stuxnet to the US and Israel. Stuxnet seems to be the first cyberweapon in an ongoing US cyber-espionage effort that is codenamed “Olympic Games.”

Despite the similarities, Kaspersky and other leading cybersecurity analysts have yet to say if both malware programs were created by the same teams of programmers. What is certain is that, due to the complexity of both Flame and Stuxnet, they were commissioned by nation-states, a point reiterated by Dr. Hamadoun Toure, the head of the United Nations’ telecommunications agency who has told the BBC that he “does not think the US is behind the attack.” He also said that he did not consider Flame an act of cyberwar because “it has been detected in time.”

Prof Alan Woodward, a computer security expert at the University of Surrey, commented to the BBC that, while the existence of the shared code suggests the programmers of the both types of malware were “collaborating, albeit only in a minor way,” much else “still indicates that Flame and Stuxnet were written, designed and built by a completely separate group of developers.”

Kevin Haley, director of security response at American cybersecurity firm Symantec, which is also analyzing the code, said in Talking Points Memo that

“I think the lesson governments take away from these pieces of malware is that they work, and that if ‘we’re not doing it, we should be.’ We’d be foolish to believe otherwise.”

Whoever wrote Flame were “world-class crytographers,” Ars Technica observes, citing Alex Sotirov, a co-founder and chief scientist of New York-based security firm Trail of Bits. Sotirov says that the crytographic process that Flame needed to take over Microsoft’s Windows Update process was “so computationally demanding, it would have required the equivalent of $200,000 worth of computing time from Amazon’s EC2 Web service for most people to carry it out.”

The US government has still not officially commented on Flame. US Attorney General Eric R. Holder has directed two US Attorneys to investigate the recent disclosures to the media and come under bipartisan attacks about leak investigations.

Related Care2 Coverage

The Flame Virus, Cyberwarfare and Obama

Is America Planning Nuclear Drones?

Does This Machine Gun Belong in a Museum?


Photo by sk8geek


Ra-Ana G.
Ra-Ana G5 years ago

Sounds like sci-fi, but is all to real. There should definitely be more exposure of this story!

John D.
Past Member 5 years ago

Punish the people carrying out this act of war.

Alice H.
Alice H5 years ago

Our government has said if we suffer a commuter attack we are justified to respond with any means necessary -- in other words we consider it an act of war -- and yet we are willing to use computer viruses on others. And we expect no repercussions -- this kind of action should be exposed and decried.

What we should NOT have done, is given the Shah the help that started Iran's nuclear exploration.

Carole L.
Carole L5 years ago

i'm just going to reformat my hd, i usually do that every 6mo to a year anyhoo, just for gp and my puter is over due.

Carole L.
Carole L5 years ago



Posted on April 20, 2012 at 1:05 PM

Updated Friday, Apr 20 at 4:12 PM

WASHINGTON -- For computer users, a few mouse clicks could mean the difference between staying online and losing Internet connections after early July.

The problem started when international hackers ran an online advertising scam to take control of infected computers around the world. In a highly unusual move, the FBI set up a safety net months ago using government computers to prevent Internet disruptions for those infected users. But that system will be shut down this summer.

The FBI is encouraging users to visit a website run by a security partner that will inform them whether they're infected -- and explain how to fix the problem. After July 9, infected users won't be able to connect to the Internet.

To check and clean computers, try: www.dcwg.org

When you access the site, click on "Detect" in the upper left corner, or on the Green Button next to it.

You will be directed to a new page. Pick your language from the list and click on the link next to it.

If your computer is not infected, you will see a green logo with the message: "DNS Resolution(equals)Green. Your computer appears to be looking up IP addresses correctly!"

If you see that message, you don't need to do anything more.

If you see a message with a red logo saying your computer appears to be inf

Carole L.
Carole L5 years ago

I heard about this a month ago;

FBI Warns Common Virus Will Shut Down Infected Computers This July

via PSFK: http://www.psfk.com/2012/04/fbi-warns-of-common-virus-headlines.html#ixzz1xj5nB0mB


If your computer is affected with DNSChanger malware, the FBI warns that your computer will lose its Internet connection on July 9th if you don’t take proper steps to remove the virus

Stephen Day
Steve Day5 years ago

The title is misleading. How could anyone tell if they shared "source code"? Since the source code is only available to the person(s) who wrote and compiled the source code into executable code. How much executable code they share is another matter entirely... is it a few bytes or several thousand consecutive bytes?

As Carina K. mentioned, if the programmer used any publicly available snippets of code, or even incorporated a standard library of functions (such as a Windows DLL), then they will share code, but that does not mean they were written by the same people.

Sarah H. You misunderstood things... the names of viruses are either given to them or visible in the code itself. By "code", it means the digital files that comprise the software/virus... it's not the same meaning as a "secret code".

Michael C.
Michael C5 years ago

If there is an investigation, do not expect it to go anywhere, kind of like the 911 investigation.

That would be like asking the wolf to guard the hen house. The U.S. was/is behind Stuxnet and most probably Flame, it originated with the Americans, with help of those bastard jews in Occupied Palestine, along with Siemens Corp, with implanted the virus.

They were attempting to cause the Iranians to lose control over their centrifuges, over 1000 of them. Which are used to separate bulk material from enriched.

When Stuxnet "broke out," I was locked out of my Yahoo account for nearly 3 weeks, they went as far as to insinuate that I had played a role.

In the end, I was to discover that an Iran Scientist with whom I had exchanged e-mails, had been working at one of the Iranian sites. Actually, our conversations was about promoting sanitation and clean water throughout the developing world.

His laptop became infected, that was the reason that I was given was. The e-mail's he sent to me, got loaded onto Yahoo's systems, the rest as they say is, "History."

I, for one never realized any problems with my computers, his laptop was loaded with a Windows operating system, my computers, (3) are all MacsBooks.

Moral of the story, you want to stay clean, stay way from the Windows to Hell...Go Mac.

Troy G.
Troy Grant5 years ago

Are these people above the law?

John Mansky
John Mansky5 years ago

Interesting article,thank you...