Attacks/Breaches
3/14/2014
05:53 PM
Connect Directly
RSS
E-Mail
50%
50%

Cyberespionage Worm May Have Ties To Multiple Spy Campaigns

Researchers at Kaspersky Lab have traced links between Agent.btz and notorious cyberespionage malware, such as Flame

Finding the sources of inspiration for an idea can be tricky; sometimes they are obvious, sometimes not. Such is the case with the Agent.btz and some of the most publicized cyberespionage tools of recent years.

According to researchers from Kaspersky Lab, Agent.btz may have some cousins circulating the Internet, namely the recently revealed Turla malware -- also known as Snake --- as well as the infamous Flame, Gauss, and Red October malware.

The Agent.btz worm has a long history in cyberattacks. In 2008, it was at the center of an incident eventually dubbed "the most significant breach of U.S. military computers ever" by former Deputy Defense Secretary William J. Lynn III. It took the U.S. Department of Defense more than a year to clean the infection from its systems.

Turla has also been linked to attacks in the United States, as well as attacks on other countries such as the Ukraine.

"In targeted attack situations, it is much more likely that two actors active on the same victim would tolerate and ignore each other, unless they disrupt each other's operations," says Kurt Baumgartner, principal security researcher at Kaspersky Lab. "It is very unusual to see either actor interaction at the victim site or highly specific shared artifacts across precise APT-related isolated tools like these. Anything is possible, and new challenges pop up all the time, but it's very unusual. Of course, we saw ripped exploit attachments from likely CN actors repurposed as a part of the Red October campaigns, but that was very unusual as well."

When Kaspersky Lab first became aware of the Turla cyberespionage campaign last March, the company was also investigating a sophisticated rootkit originally known as the Sun rootkit. Later it became apparent that the rootkit and Turla were one and the same.

During this research, Kaspersky Lab also noticed links between Turla and Agent.btz. As it turns out, Turla uses the same file names for its logs ("mswmpdat.tlb," "winview.ocx," and "wmcache.nld") while stored in the infected system as Agent.btz. It also uses the same XOR key for encrypting its log files.

But the connections between Agent.btz and other malware don't stop there. According to Kaspersky Lab, the Red October developers must have known about Agent.btz's functionality because their USB stealer module searches for the worm's data containers. Those containers hold information about infected systems and activity logs.

Further, both the notorious Flame and Gauss malware use similar naming conventions as Agent.btz, such as "*.ocx" files and "thumb*.db." In addition, they also use the USB drive as a container for stolen data.

Despite noting the similarities, Kaspersky Lab cautiously avoided stating a firm connection between the malware, though in his analysis chief security expert Aleks Gostev stated it is possible Agent.btz is a starting point "in the chain of creation of several different cyber-espionage projects."

"The information used by developers was publicly known at the time of Red October and Flame/Gauss' creation," he said in a statement. "It is no secret that Agent.btz used 'thumb.dd' as a container file to collect information from infected systems and in addition, the XOR key used by the developers of Turla and Agent.btz to encrypt their log files was also published in 2008. We do not know when this key was first used in Turla, but we can see it for certain in the latest samples of the malware, which were created around 2013-2014. At the same time, there is some evidence which points towards Turla's development starting in 2006 -- before any known sample of Agent.btz; which leaves the question open."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

CVE-2014-0762
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows physically proximate attackers to cause a denial of service (infinite loop or process crash) via crafted input over a serial line.

CVE-2014-2380
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows remote attackers to obtain sensitive information by reading a credential file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.