Security researchers say they've found a conclusive link between the Flame espionage malware and Stuxnet, the powerful cyberweapon that US and Israeli officials recently confirmed they designed to sabotage Iran's nuclear program.

An early version of Stuxnet dating back to 2009 contained executable code that targeted what was then an unknown security flaw in Microsoft Windows, a discovery that brings the number of zero-day vulnerabilities exploited by the malware to at least five, researchers from Kaspersky Lab said Monday morning. Even more significantly, they discovered that a small chunk of code found in the Stuxnet.A (1.0) variant contained some of the contents of today's Flame. In addition to unearthing previously overlooked data about how Stuxnet hijacked targeted networks, the discovery is important because it establishes the first positive connection between the developers of Stuxnet and those behind Flame, which came to light two weeks ago as a highly sophisticated espionage platform that targeted computers in Iran and other Middle Eastern countries.

"The fact that the Flame group shared their source code, their intellectual property, with the Stuxnet group proves that there is an actual link," Roel Schouwenberg , a senior researcher at Kaspersky Lab, said during an online press conference. "They actually cooperated at least once. That's, I think, huge news. It confirms our beliefs we've had all along, that the Flame operation and the Stuxnet operation were two parallel projects fashioned by the same entities."

The Flame code was found in a platform component that was included in earlier versions of Stuxnet that were collected in 2009, Kaspersky researchers wrote in a blog post published Monday. The component, referred to as "resource 207," contained a portable executable file that was likely added to Stuxnet early on while it was still fledgling. The code was removed from later versions of Stuxnet, once that malware was able to achieve the same capabilities using different components.

"We firmly believe that the Flame platform predates the Stuxnet platform," Schouwenberg continued. "It kind of looks like the Flame platform was used as a kick-starter of sorts to get the Stuxnet project going. After 2009, this resource 207 was actually removed from Stuxnet, and the Flame operation and the Stuxnet operation each went their separate ways. Maybe this was because the Stuxnet code was now mature enough to be deployed in the wild."

Schouwenberg said the common code shared between the two malware families has gone unnoticed until now because researchers have analyzed later versions of Stuxnet that no longer included it.

The research suggesting that Flame is a precursor to Stuxnet and was sponsored by the same wealthy source is consistent with what is already known about the two pieces of malware. Stuxnet pinpointed specific nuclear facilities in Iran and infiltrated them with software that caused their uranium centrifuges to malfunction while reporting back to engineers that all equipment was working normally. Before the Stuxnet developers could execute such a technologically advanced surgical strike, they almost certainly needed espionage malware that gathered detailed data about the makeup of the plants and the equipment they used.

Some of the Flame code included in resource 207 contained a "special trick" to infect USB drives by manipulating the "autorun.inf" configuration file used to automatically launch applications when they're inserted into Windows PCs. It also contains code that exploits a privilege-escalation vulnerability designated as MS09-025. Microsoft didn't release an update patching the bug until June of 2009. That means the attack in the early version of Stuxnet was a zero-day vulnerability at the time. Until now, researchers knew Stuxnet exploited four such vulnerabilities. Kaspersky's discovery brings that number to five.

Clues that Stuxnet contained Flame code has been in researchers' logs since at least October 2010, when automated systems at Kaspersky received a malware sample and labeled it as Stuxnet. Researchers later dropped the attribution and renamed the malware as Tocy.a after failing to find any connection to Stuxnet.

"Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to 'resource 207' from Stuxnet," Kaspersky Lab Expert Alexander Gostev wrote in Monday's blog post. "It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection."

During Monday's conference, researchers also independently confirmed findings first published last week that an attack that hijacked Microsoft's Windows Update mechanism deployed a novel "collision" attack on the MD5 algorithm not seen by cryptographers before.

"This was a completely new collision attack," Schouwenberg said. "What makes it more interesting is if it truly dates back to [2009], that means this collision attack was done before any public documentation on this matter, and that really shows these are world-class cryptographic experts involved."

Story updated to correct size of the chunk of code borrowed from Flame.