Feeds

New fear: Worm that ransacked US military PCs was blueprint for spies' super-malware

Secret stealer spawned spooks' snoop stooge, it seems

Choosing a cloud hosting partner with confidence

A mystery worm that burrowed into US military computers to steal secrets six years ago may have inspired the development of subsequent government-grade malware Red October, Turla, Flame and Gauss.

Researchers at Kaspersky Lab reached this conclusion after finding similarities between Agent.btz – the worm that attacked in 2008 – and Turla, a powerful computer espionage tool that was only discovered last month.

Agent.btz infected the network of the US Central Command in the Middle East. Military officials at the time described it as the "worst breach of US military computers in history." The worm spread after a USB drive containing the software nasty was plugged into a PC.

It took specialists at the Pentagon 14 months to completely disinfect Agent.btz from Uncle Sam's networks. The outbreak led to the creation of the US Cyber Command. The worm, thought to have been created around 2007, had the ability to scan computers for sensitive information and send that top-secret data to a remote command-and-control server.

Last month, experts from G Data wrote a report about the super-secretive spying Turla malware, and BAE Systems published its own research, both linking the development of Agent.btz and Turla (aka Uroburos or Snake).

G Data said data-stealing rootkit Turla was so sophisticated, it had to have been created by an intelligence agency, and strongly hinted that Russian spies were responsible.

The Snake espionage tool targeted systems in ‪Ukraine‬, but systems in the US, UK, Georgia and Belgium were also infiltrated. The timing of the malware predates the ongoing political and military tension between Ukraine and Russia in Crimea.

“We haven't found any infection vector yet but based on the techniques and the targets that they are compromising it is very likely that they are using a combination of spear-phishing campaigns, waterhole and strategic web compromises and even physical access to drop payloads," said Jaime Blasco, a director of security dashboard tools firm AlienVault.

Viper's nest

Kaspersky Labs researchers will not speculate about the creator of Turla, instead listing reasons why they think Agent.btz may have been used as a template for Snake and other information-stealing cyber-pathogens:

  • Red October developers clearly knew about Agent.btz's functionality as their USB Stealer module (created in 2010-2011) searches for the worm's data containers (‘mssysmgr.ocx’ and ‘thumb.dd’ files) which hold information about infected systems and activity logs, and then steal it from the connected USB drives.
  • Turla uses the same file names for its logs (‘mswmpdat.tlb’, ‘winview.ocx’ and ‘wmcache.nld’) whilst stored in the infected system, and the same XOR key for encrypting its log files as Agent.btz. 
  • Flame/Gauss use similar naming conventions such as ‘*.ocx’ files and ‘thumb*.db’. Also, they use the USB drive as a container for stolen data.

The super-snooping Flame malware, mentioned above, is widely thought to have been part of the same "Olympic Games"-codenamed US-Israeli operation that spawned Stuxnet, a software nasty specifically engineered to knacker fuel centrifuges at Iranian nuclear sites.

Kaspersky Lab researchers conclude that "developers of the four [later] cyber espionage campaigns studied Agent.btz in detail to understand how it works, the file names it uses, and used this information as a model for the development of the malware programs, all of which had similar goals."

This doesn't mean there's a direct link between Agent.btz's makers and the developers of subsequent cyber-espionage tools, however.

“It is not possible to draw such a conclusion based on these facts alone,” said Aleks Gostev, a senior security researcher at Kaspersky Lab. “The information used by developers was publicly known at the time of Red October and Flame/Gauss’ creation.

"It is no secret that Agent.btz used ‘thumb.dd’ as a container file to collect information from infected systems and in addition, the XOR key used by the developers of Turla and Agent-BTZ to encrypt their log files was also published in 2008."

Agent.btz was discovered on 13,800 systems across 100 countries, according to Kaspersky Lab data from last year. The malware continues to spread thanks to the continued circulation of infected USB drives.

More details of Kaspersky's analysis of the links between numerous cyber-espionage strains can be found here. ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.