Attacks/Breaches
3/14/2014
05:53 PM
Connect Directly
RSS
E-Mail
50%
50%

Cyberespionage Worm May Have Ties To Multiple Spy Campaigns

Researchers at Kaspersky Lab have traced links between Agent.btz and notorious cyberespionage malware, such as Flame

Finding the sources of inspiration for an idea can be tricky; sometimes they are obvious, sometimes not. Such is the case with the Agent.btz and some of the most publicized cyberespionage tools of recent years.

According to researchers from Kaspersky Lab, Agent.btz may have some cousins circulating the Internet, namely the recently revealed Turla malware -- also known as Snake --- as well as the infamous Flame, Gauss, and Red October malware.

The Agent.btz worm has a long history in cyberattacks. In 2008, it was at the center of an incident eventually dubbed "the most significant breach of U.S. military computers ever" by former Deputy Defense Secretary William J. Lynn III. It took the U.S. Department of Defense more than a year to clean the infection from its systems.

Turla has also been linked to attacks in the United States, as well as attacks on other countries such as the Ukraine.

"In targeted attack situations, it is much more likely that two actors active on the same victim would tolerate and ignore each other, unless they disrupt each other's operations," says Kurt Baumgartner, principal security researcher at Kaspersky Lab. "It is very unusual to see either actor interaction at the victim site or highly specific shared artifacts across precise APT-related isolated tools like these. Anything is possible, and new challenges pop up all the time, but it's very unusual. Of course, we saw ripped exploit attachments from likely CN actors repurposed as a part of the Red October campaigns, but that was very unusual as well."

When Kaspersky Lab first became aware of the Turla cyberespionage campaign last March, the company was also investigating a sophisticated rootkit originally known as the Sun rootkit. Later it became apparent that the rootkit and Turla were one and the same.

During this research, Kaspersky Lab also noticed links between Turla and Agent.btz. As it turns out, Turla uses the same file names for its logs ("mswmpdat.tlb," "winview.ocx," and "wmcache.nld") while stored in the infected system as Agent.btz. It also uses the same XOR key for encrypting its log files.

But the connections between Agent.btz and other malware don't stop there. According to Kaspersky Lab, the Red October developers must have known about Agent.btz's functionality because their USB stealer module searches for the worm's data containers. Those containers hold information about infected systems and activity logs.

Further, both the notorious Flame and Gauss malware use similar naming conventions as Agent.btz, such as "*.ocx" files and "thumb*.db." In addition, they also use the USB drive as a container for stolen data.

Despite noting the similarities, Kaspersky Lab cautiously avoided stating a firm connection between the malware, though in his analysis chief security expert Aleks Gostev stated it is possible Agent.btz is a starting point "in the chain of creation of several different cyber-espionage projects."

"The information used by developers was publicly known at the time of Red October and Flame/Gauss' creation," he said in a statement. "It is no secret that Agent.btz used 'thumb.dd' as a container file to collect information from infected systems and in addition, the XOR key used by the developers of Turla and Agent.btz to encrypt their log files was also published in 2008. We do not know when this key was first used in Turla, but we can see it for certain in the latest samples of the malware, which were created around 2013-2014. At the same time, there is some evidence which points towards Turla's development starting in 2006 -- before any known sample of Agent.btz; which leaves the question open."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.