Feeds

New fear: Worm that ransacked US military PCs was blueprint for spies' super-malware

Secret stealer spawned spooks' snoop stooge, it seems

The Essential Guide to IT Transformation

A mystery worm that burrowed into US military computers to steal secrets six years ago may have inspired the development of subsequent government-grade malware Red October, Turla, Flame and Gauss.

Researchers at Kaspersky Lab reached this conclusion after finding similarities between Agent.btz – the worm that attacked in 2008 – and Turla, a powerful computer espionage tool that was only discovered last month.

Agent.btz infected the network of the US Central Command in the Middle East. Military officials at the time described it as the "worst breach of US military computers in history." The worm spread after a USB drive containing the software nasty was plugged into a PC.

It took specialists at the Pentagon 14 months to completely disinfect Agent.btz from Uncle Sam's networks. The outbreak led to the creation of the US Cyber Command. The worm, thought to have been created around 2007, had the ability to scan computers for sensitive information and send that top-secret data to a remote command-and-control server.

Last month, experts from G Data wrote a report about the super-secretive spying Turla malware, and BAE Systems published its own research, both linking the development of Agent.btz and Turla (aka Uroburos or Snake).

G Data said data-stealing rootkit Turla was so sophisticated, it had to have been created by an intelligence agency, and strongly hinted that Russian spies were responsible.

The Snake espionage tool targeted systems in ‪Ukraine‬, but systems in the US, UK, Georgia and Belgium were also infiltrated. The timing of the malware predates the ongoing political and military tension between Ukraine and Russia in Crimea.

“We haven't found any infection vector yet but based on the techniques and the targets that they are compromising it is very likely that they are using a combination of spear-phishing campaigns, waterhole and strategic web compromises and even physical access to drop payloads," said Jaime Blasco, a director of security dashboard tools firm AlienVault.

Viper's nest

Kaspersky Labs researchers will not speculate about the creator of Turla, instead listing reasons why they think Agent.btz may have been used as a template for Snake and other information-stealing cyber-pathogens:

  • Red October developers clearly knew about Agent.btz's functionality as their USB Stealer module (created in 2010-2011) searches for the worm's data containers (‘mssysmgr.ocx’ and ‘thumb.dd’ files) which hold information about infected systems and activity logs, and then steal it from the connected USB drives.
  • Turla uses the same file names for its logs (‘mswmpdat.tlb’, ‘winview.ocx’ and ‘wmcache.nld’) whilst stored in the infected system, and the same XOR key for encrypting its log files as Agent.btz. 
  • Flame/Gauss use similar naming conventions such as ‘*.ocx’ files and ‘thumb*.db’. Also, they use the USB drive as a container for stolen data.

The super-snooping Flame malware, mentioned above, is widely thought to have been part of the same "Olympic Games"-codenamed US-Israeli operation that spawned Stuxnet, a software nasty specifically engineered to knacker fuel centrifuges at Iranian nuclear sites.

Kaspersky Lab researchers conclude that "developers of the four [later] cyber espionage campaigns studied Agent.btz in detail to understand how it works, the file names it uses, and used this information as a model for the development of the malware programs, all of which had similar goals."

This doesn't mean there's a direct link between Agent.btz's makers and the developers of subsequent cyber-espionage tools, however.

“It is not possible to draw such a conclusion based on these facts alone,” said Aleks Gostev, a senior security researcher at Kaspersky Lab. “The information used by developers was publicly known at the time of Red October and Flame/Gauss’ creation.

"It is no secret that Agent.btz used ‘thumb.dd’ as a container file to collect information from infected systems and in addition, the XOR key used by the developers of Turla and Agent-BTZ to encrypt their log files was also published in 2008."

Agent.btz was discovered on 13,800 systems across 100 countries, according to Kaspersky Lab data from last year. The malware continues to spread thanks to the continued circulation of infected USB drives.

More details of Kaspersky's analysis of the links between numerous cyber-espionage strains can be found here. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.