Attacks/Breaches
3/14/2014
05:53 PM
50%
50%

Cyberespionage Worm May Have Ties To Multiple Spy Campaigns

Researchers at Kaspersky Lab have traced links between Agent.btz and notorious cyberespionage malware, such as Flame

Finding the sources of inspiration for an idea can be tricky; sometimes they are obvious, sometimes not. Such is the case with the Agent.btz and some of the most publicized cyberespionage tools of recent years.

According to researchers from Kaspersky Lab, Agent.btz may have some cousins circulating the Internet, namely the recently revealed Turla malware -- also known as Snake --- as well as the infamous Flame, Gauss, and Red October malware.

The Agent.btz worm has a long history in cyberattacks. In 2008, it was at the center of an incident eventually dubbed "the most significant breach of U.S. military computers ever" by former Deputy Defense Secretary William J. Lynn III. It took the U.S. Department of Defense more than a year to clean the infection from its systems.

Turla has also been linked to attacks in the United States, as well as attacks on other countries such as the Ukraine.

"In targeted attack situations, it is much more likely that two actors active on the same victim would tolerate and ignore each other, unless they disrupt each other's operations," says Kurt Baumgartner, principal security researcher at Kaspersky Lab. "It is very unusual to see either actor interaction at the victim site or highly specific shared artifacts across precise APT-related isolated tools like these. Anything is possible, and new challenges pop up all the time, but it's very unusual. Of course, we saw ripped exploit attachments from likely CN actors repurposed as a part of the Red October campaigns, but that was very unusual as well."

When Kaspersky Lab first became aware of the Turla cyberespionage campaign last March, the company was also investigating a sophisticated rootkit originally known as the Sun rootkit. Later it became apparent that the rootkit and Turla were one and the same.

During this research, Kaspersky Lab also noticed links between Turla and Agent.btz. As it turns out, Turla uses the same file names for its logs ("mswmpdat.tlb," "winview.ocx," and "wmcache.nld") while stored in the infected system as Agent.btz. It also uses the same XOR key for encrypting its log files.

But the connections between Agent.btz and other malware don't stop there. According to Kaspersky Lab, the Red October developers must have known about Agent.btz's functionality because their USB stealer module searches for the worm's data containers. Those containers hold information about infected systems and activity logs.

Further, both the notorious Flame and Gauss malware use similar naming conventions as Agent.btz, such as "*.ocx" files and "thumb*.db." In addition, they also use the USB drive as a container for stolen data.

Despite noting the similarities, Kaspersky Lab cautiously avoided stating a firm connection between the malware, though in his analysis chief security expert Aleks Gostev stated it is possible Agent.btz is a starting point "in the chain of creation of several different cyber-espionage projects."

"The information used by developers was publicly known at the time of Red October and Flame/Gauss' creation," he said in a statement. "It is no secret that Agent.btz used 'thumb.dd' as a container file to collect information from infected systems and in addition, the XOR key used by the developers of Turla and Agent.btz to encrypt their log files was also published in 2008. We do not know when this key was first used in Turla, but we can see it for certain in the latest samples of the malware, which were created around 2013-2014. At the same time, there is some evidence which points towards Turla's development starting in 2006 -- before any known sample of Agent.btz; which leaves the question open."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.