Attacks/Breaches
3/14/2014
05:53 PM
Connect Directly
RSS
E-Mail
50%
50%

Cyberespionage Worm May Have Ties To Multiple Spy Campaigns

Researchers at Kaspersky Lab have traced links between Agent.btz and notorious cyberespionage malware, such as Flame

Finding the sources of inspiration for an idea can be tricky; sometimes they are obvious, sometimes not. Such is the case with the Agent.btz and some of the most publicized cyberespionage tools of recent years.

According to researchers from Kaspersky Lab, Agent.btz may have some cousins circulating the Internet, namely the recently revealed Turla malware -- also known as Snake --- as well as the infamous Flame, Gauss, and Red October malware.

The Agent.btz worm has a long history in cyberattacks. In 2008, it was at the center of an incident eventually dubbed "the most significant breach of U.S. military computers ever" by former Deputy Defense Secretary William J. Lynn III. It took the U.S. Department of Defense more than a year to clean the infection from its systems.

Turla has also been linked to attacks in the United States, as well as attacks on other countries such as the Ukraine.

"In targeted attack situations, it is much more likely that two actors active on the same victim would tolerate and ignore each other, unless they disrupt each other's operations," says Kurt Baumgartner, principal security researcher at Kaspersky Lab. "It is very unusual to see either actor interaction at the victim site or highly specific shared artifacts across precise APT-related isolated tools like these. Anything is possible, and new challenges pop up all the time, but it's very unusual. Of course, we saw ripped exploit attachments from likely CN actors repurposed as a part of the Red October campaigns, but that was very unusual as well."

When Kaspersky Lab first became aware of the Turla cyberespionage campaign last March, the company was also investigating a sophisticated rootkit originally known as the Sun rootkit. Later it became apparent that the rootkit and Turla were one and the same.

During this research, Kaspersky Lab also noticed links between Turla and Agent.btz. As it turns out, Turla uses the same file names for its logs ("mswmpdat.tlb," "winview.ocx," and "wmcache.nld") while stored in the infected system as Agent.btz. It also uses the same XOR key for encrypting its log files.

But the connections between Agent.btz and other malware don't stop there. According to Kaspersky Lab, the Red October developers must have known about Agent.btz's functionality because their USB stealer module searches for the worm's data containers. Those containers hold information about infected systems and activity logs.

Further, both the notorious Flame and Gauss malware use similar naming conventions as Agent.btz, such as "*.ocx" files and "thumb*.db." In addition, they also use the USB drive as a container for stolen data.

Despite noting the similarities, Kaspersky Lab cautiously avoided stating a firm connection between the malware, though in his analysis chief security expert Aleks Gostev stated it is possible Agent.btz is a starting point "in the chain of creation of several different cyber-espionage projects."

"The information used by developers was publicly known at the time of Red October and Flame/Gauss' creation," he said in a statement. "It is no secret that Agent.btz used 'thumb.dd' as a container file to collect information from infected systems and in addition, the XOR key used by the developers of Turla and Agent.btz to encrypt their log files was also published in 2008. We do not know when this key was first used in Turla, but we can see it for certain in the latest samples of the malware, which were created around 2013-2014. At the same time, there is some evidence which points towards Turla's development starting in 2006 -- before any known sample of Agent.btz; which leaves the question open."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.