Feeds

New fear: Worm that ransacked US military PCs was blueprint for spies' super-malware

Secret stealer spawned spooks' snoop stooge, it seems

Protecting against web application threats using SSL

A mystery worm that burrowed into US military computers to steal secrets six years ago may have inspired the development of subsequent government-grade malware Red October, Turla, Flame and Gauss.

Researchers at Kaspersky Lab reached this conclusion after finding similarities between Agent.btz – the worm that attacked in 2008 – and Turla, a powerful computer espionage tool that was only discovered last month.

Agent.btz infected the network of the US Central Command in the Middle East. Military officials at the time described it as the "worst breach of US military computers in history." The worm spread after a USB drive containing the software nasty was plugged into a PC.

It took specialists at the Pentagon 14 months to completely disinfect Agent.btz from Uncle Sam's networks. The outbreak led to the creation of the US Cyber Command. The worm, thought to have been created around 2007, had the ability to scan computers for sensitive information and send that top-secret data to a remote command-and-control server.

Last month, experts from G Data wrote a report about the super-secretive spying Turla malware, and BAE Systems published its own research, both linking the development of Agent.btz and Turla (aka Uroburos or Snake).

G Data said data-stealing rootkit Turla was so sophisticated, it had to have been created by an intelligence agency, and strongly hinted that Russian spies were responsible.

The Snake espionage tool targeted systems in ‪Ukraine‬, but systems in the US, UK, Georgia and Belgium were also infiltrated. The timing of the malware predates the ongoing political and military tension between Ukraine and Russia in Crimea.

“We haven't found any infection vector yet but based on the techniques and the targets that they are compromising it is very likely that they are using a combination of spear-phishing campaigns, waterhole and strategic web compromises and even physical access to drop payloads," said Jaime Blasco, a director of security dashboard tools firm AlienVault.

Viper's nest

Kaspersky Labs researchers will not speculate about the creator of Turla, instead listing reasons why they think Agent.btz may have been used as a template for Snake and other information-stealing cyber-pathogens:

  • Red October developers clearly knew about Agent.btz's functionality as their USB Stealer module (created in 2010-2011) searches for the worm's data containers (‘mssysmgr.ocx’ and ‘thumb.dd’ files) which hold information about infected systems and activity logs, and then steal it from the connected USB drives.
  • Turla uses the same file names for its logs (‘mswmpdat.tlb’, ‘winview.ocx’ and ‘wmcache.nld’) whilst stored in the infected system, and the same XOR key for encrypting its log files as Agent.btz. 
  • Flame/Gauss use similar naming conventions such as ‘*.ocx’ files and ‘thumb*.db’. Also, they use the USB drive as a container for stolen data.

The super-snooping Flame malware, mentioned above, is widely thought to have been part of the same "Olympic Games"-codenamed US-Israeli operation that spawned Stuxnet, a software nasty specifically engineered to knacker fuel centrifuges at Iranian nuclear sites.

Kaspersky Lab researchers conclude that "developers of the four [later] cyber espionage campaigns studied Agent.btz in detail to understand how it works, the file names it uses, and used this information as a model for the development of the malware programs, all of which had similar goals."

This doesn't mean there's a direct link between Agent.btz's makers and the developers of subsequent cyber-espionage tools, however.

“It is not possible to draw such a conclusion based on these facts alone,” said Aleks Gostev, a senior security researcher at Kaspersky Lab. “The information used by developers was publicly known at the time of Red October and Flame/Gauss’ creation.

"It is no secret that Agent.btz used ‘thumb.dd’ as a container file to collect information from infected systems and in addition, the XOR key used by the developers of Turla and Agent-BTZ to encrypt their log files was also published in 2008."

Agent.btz was discovered on 13,800 systems across 100 countries, according to Kaspersky Lab data from last year. The malware continues to spread thanks to the continued circulation of infected USB drives.

More details of Kaspersky's analysis of the links between numerous cyber-espionage strains can be found here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.