Feeds

New fear: Worm that ransacked US military PCs was blueprint for spies' super-malware

Secret stealer spawned spooks' snoop stooge, it seems

Remote control for virtualized desktops

A mystery worm that burrowed into US military computers to steal secrets six years ago may have inspired the development of subsequent government-grade malware Red October, Turla, Flame and Gauss.

Researchers at Kaspersky Lab reached this conclusion after finding similarities between Agent.btz – the worm that attacked in 2008 – and Turla, a powerful computer espionage tool that was only discovered last month.

Agent.btz infected the network of the US Central Command in the Middle East. Military officials at the time described it as the "worst breach of US military computers in history." The worm spread after a USB drive containing the software nasty was plugged into a PC.

It took specialists at the Pentagon 14 months to completely disinfect Agent.btz from Uncle Sam's networks. The outbreak led to the creation of the US Cyber Command. The worm, thought to have been created around 2007, had the ability to scan computers for sensitive information and send that top-secret data to a remote command-and-control server.

Last month, experts from G Data wrote a report about the super-secretive spying Turla malware, and BAE Systems published its own research, both linking the development of Agent.btz and Turla (aka Uroburos or Snake).

G Data said data-stealing rootkit Turla was so sophisticated, it had to have been created by an intelligence agency, and strongly hinted that Russian spies were responsible.

The Snake espionage tool targeted systems in ‪Ukraine‬, but systems in the US, UK, Georgia and Belgium were also infiltrated. The timing of the malware predates the ongoing political and military tension between Ukraine and Russia in Crimea.

“We haven't found any infection vector yet but based on the techniques and the targets that they are compromising it is very likely that they are using a combination of spear-phishing campaigns, waterhole and strategic web compromises and even physical access to drop payloads," said Jaime Blasco, a director of security dashboard tools firm AlienVault.

Viper's nest

Kaspersky Labs researchers will not speculate about the creator of Turla, instead listing reasons why they think Agent.btz may have been used as a template for Snake and other information-stealing cyber-pathogens:

  • Red October developers clearly knew about Agent.btz's functionality as their USB Stealer module (created in 2010-2011) searches for the worm's data containers (‘mssysmgr.ocx’ and ‘thumb.dd’ files) which hold information about infected systems and activity logs, and then steal it from the connected USB drives.
  • Turla uses the same file names for its logs (‘mswmpdat.tlb’, ‘winview.ocx’ and ‘wmcache.nld’) whilst stored in the infected system, and the same XOR key for encrypting its log files as Agent.btz. 
  • Flame/Gauss use similar naming conventions such as ‘*.ocx’ files and ‘thumb*.db’. Also, they use the USB drive as a container for stolen data.

The super-snooping Flame malware, mentioned above, is widely thought to have been part of the same "Olympic Games"-codenamed US-Israeli operation that spawned Stuxnet, a software nasty specifically engineered to knacker fuel centrifuges at Iranian nuclear sites.

Kaspersky Lab researchers conclude that "developers of the four [later] cyber espionage campaigns studied Agent.btz in detail to understand how it works, the file names it uses, and used this information as a model for the development of the malware programs, all of which had similar goals."

This doesn't mean there's a direct link between Agent.btz's makers and the developers of subsequent cyber-espionage tools, however.

“It is not possible to draw such a conclusion based on these facts alone,” said Aleks Gostev, a senior security researcher at Kaspersky Lab. “The information used by developers was publicly known at the time of Red October and Flame/Gauss’ creation.

"It is no secret that Agent.btz used ‘thumb.dd’ as a container file to collect information from infected systems and in addition, the XOR key used by the developers of Turla and Agent-BTZ to encrypt their log files was also published in 2008."

Agent.btz was discovered on 13,800 systems across 100 countries, according to Kaspersky Lab data from last year. The malware continues to spread thanks to the continued circulation of infected USB drives.

More details of Kaspersky's analysis of the links between numerous cyber-espionage strains can be found here. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.