New fear: Worm that ransacked US military PCs was blueprint for spies’ super-malware
Researchers at Kaspersky Lab reached this conclusion after finding similarities between Agent.btz – the worm that attacked in 2008 – and Turla, a powerful computer espionage tool that was only discovered last month.
Agent.btz infected the network of the US Central Command in the Middle East. Military officials at the time described it as the “worst breach of US military computers in history.” The worm spread after a USB drive containing the software nasty was plugged into a PC.
It took specialists at the Pentagon 14 months to completely disinfect Agent.btz from Uncle Sam’s networks. The outbreak led to the creation of the US Cyber Command. The worm, thought to have been created around 2007, had the ability to scan computers for sensitive information and send that top-secret data to a remote command-and-control server.
Last month, experts from G Data wrote a report about the super-secretive spying Turla malware, and BAE Systems published its own research, both linking the development of Agent.btz and Turla (aka Uroburos or Snake).
G Data said data-stealing rootkit Turla was so sophisticated, it had to have been created by an intelligence agency, and strongly hinted that Russian spies were responsible.
The Snake espionage tool targeted systems in Ukraine, but systems in the US, UK, Georgia and Belgium were also infiltrated. The timing of the malware predates the ongoing political and military tension between Ukraine and Russia in Crimea.
“We haven’t found any infection vector yet but based on the techniques and the targets that they are compromising it is very likely that they are using a combination of spear-phishing campaigns, waterhole and strategic web compromises and even physical access to drop payloads,” said Jaime Blasco, a director of security dashboard tools firm AlienVault.
Kaspersky Labs researchers will not speculate about the creator of Turla, instead listing reasons why they think Agent.btz may have been used as a template for Snake and other information-stealing cyber-pathogens:
- Red October developers clearly knew about Agent.btz’s functionality as their USB Stealer module (created in 2010-2011) searches for the worm’s data containers (‘mssysmgr.ocx’ and ‘thumb.dd’ files) which hold information about infected systems and activity logs, and then steal it from the connected USB drives.
- Turla uses the same file names for its logs (‘mswmpdat.tlb’, ‘winview.ocx’ and ‘wmcache.nld’) whilst stored in the infected system, and the same XOR key for encrypting its log files as Agent.btz.
- Flame/Gauss use similar naming conventions such as ‘*.ocx’ files and ‘thumb*.db’. Also, they use the USB drive as a container for stolen data.
The super-snooping Flame malware, mentioned above, is widely thought to have been part of the same “Olympic Games”-codenamed US-Israeli operation that spawned Stuxnet, a software nasty specifically engineered to knacker fuel centrifuges at Iranian nuclear sites.
Kaspersky Lab researchers conclude that “developers of the four [later] cyber espionage campaigns studied Agent.btz in detail to understand how it works, the file names it uses, and used this information as a model for the development of the malware programs, all of which had similar goals.”
This doesn’t mean there’s a direct link between Agent.btz’s makers and the developers of subsequent cyber-espionage tools, however.
“It is not possible to draw such a conclusion based on these facts alone,” said Aleks Gostev, a senior security researcher at Kaspersky Lab. “The information used by developers was publicly known at the time of Red October and Flame/Gauss’ creation.
“It is no secret that Agent.btz used ‘thumb.dd’ as a container file to collect information from infected systems and in addition, the XOR key used by the developers of Turla and Agent-BTZ to encrypt their log files was also published in 2008.”
Agent.btz was discovered on 13,800 systems across 100 countries, according to Kaspersky Lab data from last year. The malware continues to spread thanks to the continued circulation of infected USB drives.
More details of Kaspersky’s analysis of the links between numerous cyber-espionage strains can be found here. ®