A new and seriously complex malware threat came to light this past weekend, targeting PCs in the Middle East. Some researchers and commentators made the natural assumption that it was connected with the Stuxnet worm which made news in 2010 by disrupting Iran's nuclear research. After all, when Duqu turned up in 2011, experts concluded it was indeed written by the Stuxnet crowd, or coders with full access to Stuxnet source. But like the song says, it ain't necessarily so.

Developmental Differences
This latest threat is called Flamer, Flame, or sKyWIper, depending on who you ask. Flamer, Duqu, and Stuxnet do have some things in common. To start, all three are seriously modular, in a way that lets their command and control servers add or update functionality at any time. Flamer takes this to an extreme, downloading its modules in multiple sessions.

Flamer definitely needs to take it easy on download impact to avoid giving itself away. At 20MB for all modules, it's a veritable giant. A Stuxnet infestation takes just 500KB of space, according to Kaspersky researchers. Part of Flamer's size involves the use of many third-party code libraries, prefab modules that handle tasks like managing databases and interpreting script code. Neither Stuxnet nor Duqu rely on third-party modules.

Kaspersky researches also determined that Stuxnet and Duqu were built using the same development platform. They named the platform TildeD because of the frequent appearance of "~d" in filenames. Flamer was not built using TildeD.

Further code analysis showed that Stuxnet was written using the C and C++ programming languages. Duqu gave the researchers a tough time, but they eventually determined it was written in an obscure form of object-oriented C. Flamer uses C++ for attack subroutines, but it relies strongly on the Lua scripting language for its high-order logic. Lua is rarely used by malware coders.

Many antivirus products give a free pass (or at least a presumption of innocence) to programs digitally signed with a legitimate certificate. The coders behind Stuxnet and Duqu managed to steal valid certificates and use them for a convincing digital signature; Flamer's modules aren't signed.

Stuxnet relied on an unprecedented four zero-day attacks to penetrate systems, Duqu managed with just one zero-day attack. Flamer didn't use any zero-day attacks.

All three of these advanced malware threats targeted business and industrial PCs, but Flamer has also attacked PCs belonging to individuals. Stuxnet and Duqu infestations automatically self-destructed after a set time; Flamer can self-destruct, but only upon receiving the auto-destruct code from its masters.

To Flamer's credit, it uses some unique techniques for self-protection, among them the ability to recognize over 100 antivirus installations and modify its behavior accordingly.

Some Similarities

The commentators who initially supposed a Stuxnet connection did have some basis. Stuxnet and Flamer (but not Duqu) can infect systems via USB key, allowing them entrée to facilities that are isolated from the Internet. They also use the same printer-driver vulnerability to spread within the local network. Stuxnet does so automatically; Flamer waits for orders from its command and control servers.

Flamer is also like Duqu in that both are designed to steal information, while Stuxnet's ultimate aim was to send commands that would damage very specific machines in Iran's nuclear labs. Stuxnet is self-replicating; Duqu and Flamer are not.

Temporal Evidence

Stuxnet appeared in 2010, Duqu in 2011. The temporal evidence supports Duqu being derived from Stuxnet. However, the first reported sighting of Flamer (by Webroot) came back in 2007. Unless its coders had access to a TARDIS, there's just no way Flamer was derived from Stuxnet.

Flamer, Stuxnet, and Duqu are definitely in another class than your typical spyware or fake antivirus threat. Experts universally agree that software this complex required a coding team, not a lone wolf coder. The complexity of the task has led many to presume only a nation-state would have the resources, though Webroot's Joe Jaroch isn't so sure about Flamer in particular. "Assuming it is a nation behind the code would probably be underestimating the abilities of private malware authors," said Jaroch.

Going forward, we'll see more such targeted, low-prevalence threats. Or will we see them? If the threat is so limited in scope that antivirus research teams never get a sample, we may never know. As Roger Thompson, chief emerging threats researcher for ICSA Labs, says, "Remember, the worst hack is the one you don't know about."

In a blog post about Flamer, Thompson suggests that antivirus companies need to shift away from detection methods that require analysis of samples and instead concentrate on behavior monitoring. If each vendor has a unique style of behavior monitoring, "an attacker is faced with trying to bypass multiple and different behavior strategies [which] will make the attacker’s job some orders of magnitude harder." That makes sense to me.