The past few days has seen an extensive discussion within the IT security industry about a cyberespionage campaign called Turla, aka Snake and Uroburos, which, according to G-DATA experts, may have been created by Russian special services.

One of the main conclusions also pointed out by research from BAE SYSTEMS, is a connection between the authors of Turla and those of another malicious program, known as Agent.BTZ, which infected the local networks of US military operations in the Middle East in 2008.

We first became aware of this targeted campaign in March 2013. This became apparent when we investigated an incident which involved a highly sophisticated rootkit. We called it the ‘Sun rootkit’, based on a filename used as a virtual file system: sunstore.dmp, also accessible as \\.\Sundrive1 and \\.\Sundrive2. The ‘Sun rootkit’ and Uroburos are the same.

We are still actively investigating Turla, and we believe it is far more complex and versatile than the already published materials suggest.

At this point, I would like to discuss the connection between Turla and Agent.btz in a little more detail.

Agent.btz: a global epidemic or a targeted attack?

The story of Agent.btz began back in 2007 and was extensively covered by the mass media in late 2008 when it was used to infect US military networks.

Here is what Wikipedia has to say about it: “The 2008 cyberattack on the United States was the ‘worst breach of U.S. military computers in history’. The defense against the attack was named ‘Operation Buckshot Yankee’. It led to the creation of the United States Cyber Command.

It started when a USB flash drive infected by a foreign intelligence agency was left in the parking lot of a Department of Defense facility at a base in the Middle East. It contained malicious code and was put into a USB port from a laptop computer that was attached to United States Central Command.

The Pentagon spent nearly 14 months cleaning the worm, named Agent.btz, from military networks. Agent.btz, a variant of the SillyFDC worm, has the ability ‘to scan computers for data, open backdoors, and send through those backdoors to a remote command and control server’.”

We do not know how accurate is the story with the USB flash drive left in the parking lot. We have also heard a number of other versions of this story, which may, or may not be right. However, the important fact here is that Agent.btz was a self replicating computer worm, not just a Trojan. Another important fact is that the malware has dozens of different variants.

We believe that the initial variants of the worm were created back in 2007. By 2011 a large number of its modifications had been detected. Today, most variants are detected by Kaspersky products asWorm.Win32.Orbina.

Curiously, in accordance with the naming convention used by PC Tools, the worm is also namedVoronezh.1600 – possibly a reference to the mythical Voronezh school of hackers, in Russia.

In any event, it is quite obvious that the US military were not the only victims of the worm. Copying itself from one USB flash drive to another, it rapidly spread globally. Although no new variants of the malware have been created for several years and the vulnerability enabling the worm to launch from USB flash drives using “autorun.inf” have long since been closed in newer versions of Windows, according to our data Agent.btz was detected 13,832 times in 107 countries across the globe in 2013 alone!

The dynamics of the worm’s epidemic are also worth noting. Over three years – from 2011 to 2013 – the number of infections caused by Agent.btz steadily declined; however, the top 10 affected countries changed very little.

Agent.BTZ detections (unique users)2011
1Russian Federation24111
9United Kingdom761
 Total countries147
 Total users63021

Agent.BTZ detections (unique users)2012
1Russian Federation11211
9United Kingdom335
 Total countries130
 Total users30923

Agent.BTZ detections (unique users)2013
1Russian Federation4566
10United Kingdom123
 Total countries107
 Total users13832

The statistics presented above are based on the following Kaspersky Anti-Virus verdicts: Worm.Win32.Autorun.j, Worm.Win32.Autorun.bsu, Worm.Win32.Autorun.bve, Trojan-Downloader.Win32.Agent.sxi, Worm.Win32.AutoRun.lqb, Trojan.Win32.Agent.bve, Worm.Win32.Orbina

To summarize the above, the Agent.btz worm has clearly spread all over the world, with Russia leading in terms of the number of infections for several years.

Map of infections caused by different modifications of “Agent.btz” in 2011-2013

For detailed information on the modus operandi of Agent.btz, I recommend reading an excellent report prepared by Sergey Shevchenko from ThreatExpert, back in November 2008.

On infected systems, the worm creates a file named ‘thumb.dd’ on all USB flash drives connected to the computer, using it to store a CAB file containing the following files: “winview.ocx”, “wmcache.nld” and “mswmpdat.tlb”. These files contain information about the infected system and the worm’s activity logs for that system. Essentially, “thumb.dd” is a container for data which is saved on the flash drive, unless it can be sent directly over the Internet to the C&C server.

If such a flash drive is inserted into another computer infected with Orbina, the file “thumb.dd” will be copied to the computer under the name “mssysmgr.ocx”.

Given this functionality and the global scale of the epidemic caused by the worm, we believe that there are tens of thousands of USB flash drives in the world containing files named “thumb.dd” created by Agent.btz at some point in time and containing information about systems infected by the worm.

Red October: a data collector?

Over one year ago, we analyzed dozens of modules used by Red October, an extremely sophisticated cyber espionage operation. While performing the analysis, we noticed that the list of files that a module named “USB Stealer” searches for on USB flash drives connected to infected computers included the names of files created by Agent.btz “mssysmgr.ocx” and “thumb.dd”.

This means that Red October developers were actively looking for data collected several years previously by Agent.btz. All the USB Stealer modules known to us were created in 2010-2011.

Both Red October and Agent.btz were, in all probability, created by Russian-speaking malware writers. One program “knew” about the files created by the other and tried to make use of them. Are these facts sufficient to conclude that there was a direct connection between the developers of the two malicious programs?

I believe they are not.

First and foremost, it should be noted that the fact that the file “thumb.dd” contains data from Agent.btz-infected systems was publicly known. It is not impossible that the developers of Red October, who must have been aware of the large number of infections caused by Agent.btz and of the fact that the worm had infected US military networks, simply tried to take advantage of other people’s work to collect additional data. It should also be remembered that Red October was a tool for highly targeted pinpoint attacks, whereas Agent.btz was a worm, by definition designed to spread uncontrollably and “collect” any data it could access.

Basically, any malware writer could add scanning of USB flash drives for “thumb.dd” files and the theft of those files to their Trojan functionality. Why not steal additional data without too much additional effort? However, decrypting the data stolen requires one other thing – the encryption key.

Agent.btz and Turla/Uroburos

The connection between Turla and Agent.btz is more direct, although not sufficiently so to conclude that the two programs have the same origin.

Turla uses the same file names as Agent.btz – “mswmpdat.tlb”, “winview.ocx” and “wmcache.nld” for its log files stored on infected systems.

All the overlapping file names are presented in the table below:

Agent.btzRed OctoberTurla
Log filesthumb.ddthumb.dd 
 winview.ocx winview.ocx
 wmcache.nld wmcache.nld
 mswmpdat.tlb mswmpdat.tlb
 fa.tmp fa.tmp

In addition, Agent.btz and Turla use the same XOR key to encrypt their log files:


The key is not a secret, either: it was discovered and published back in 2008 and anybody who had an interest in the Agent.btz story knew about the key. Is it possible that the developers of Turla decided to use somebody else’s key to encrypt their logs? We are as yet unable to determine at what point in time this particular key was adopted for Turla. It is present in the latest samples (dated 2013-2014), but according to some data the development of Turla began back in 2006 – before the earliest known variant of Agent.btz was created.

Red October and Turla

Now we have determined that Red October “knew” about the file names used by Agent.btz and searched for them. We have also determined that Turla used the same file names and encryption key as Agent.btz.

So what about a possible connection between Red October and Turla? Is there one? Having analyzed all the data at our disposal, we do not see any overlapping between the two projects. They do not “know” about each other, they do not communicate between themselves in any way, they are different in terms of their architecture and the technologies used.

The only thing they really have in common is that the developers of both Rocra and Turla appear to have Russian as their native language.

What about Flame?

Back in 2012, while analyzing Flame and its cousins Gauss and MiniFlame, we noticed some similarities between them and Agent.btz (Orbina). The first thing we noticed was the analogous naming convention applied, with a predominance of use of files with the .ocx extension. Let’s take as an example the name of the main module of Flame – “mssecmgr.ocx”. In Agent.btz a very similar name was used for the log-file container on the infected system – “mssysmgr.ocx”. And in Gauss all modules were in the form of files with names *.ocx.

Encryption methodsXORXOR
Using USB as storageYes (hub001.dat)Yes (.thumbs.db)

The Kurt/Godel module in Gauss contains the following functionality: when a drive contains a '.thumbs.db' file, its contents are read and checked for the magic number 0xEB397F2B. If found, the module creates %commonprogramfiles%\system\wabdat.dat and writes the data to this file, and then deletes the '.thumbs.db' file.

This is a container for data stolen by the 'dskapi' payload.

Besides, MiniFlame (module icsvnt32) also ‘knew’ about the ‘.thumbs.db’ file, and conducted a search for it on USB sticks.

If we recall how our data indicate that the development of both Flame and Gauss started back in 2008, it can’t be ruled out that the developers of these programs were well acquainted with the analysis of Agent.btz and possibly used some ideas taken from it in their development activities.

All together now

The data can be presented in the form of a diagram showing the interrelations among all the analyzed malicious programs:

As can be seen in the diagram, the developers of all three (even four, if we include Gauss) spy programs knew about Agent.btz, i.e., about how it works and what filenames it uses, and used that information either to directly adopt the functionality, ideas and even filename, or attempted to use the results of the work of Agent.btz.

Summarizing all the above, it is possible to regard Agent.btz as a certain starting point in the chain of creation of several different cyber-espionage projects. The well-publicized story of how US military networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties. Were the people behind all these programs all the same? It’s possible, but the facts can’t prove it.

저작자 표시 비영리
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file,, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic.

The file is a zip archive (MD5 90e78be95914f93030b04eaceb22b447). It contains different kinds of data. The biggest item inside is, which is 620MB: this is actually publicly available data on MtGox trades. Finally, the archive contains software binaries for Window PC and Mac.

MtGox leaked archive

We detect the Windows Trojan (MD5:c4e99fdcd40bee6eb6ce85167969348d), a 4.3MB PE32 executable, as Trojan.Win32.CoinStealer.i and OSX variant as Trojan.OSX.Coinstealer.a (ea722bea2a44cd06d797107d5ff9da92). Both have been created with the Livecode programming language v an open-source and cross-platform application development language. When the victim executes the application, it looks like the back-office software for accessing the databases of Mt. Gox-s owning company, Tibanne Co. Ltd..

Executed application

The malware part is quite simple. The Livecode application contains the source code as an encrypted and packed binary that-s available when executed. We dumped the Trojan code from memory and analyzed it.

The malware creates and executes the TibanneSocket.exe binary and searches for the files bitcoin.confand wallet.dat v the latter is a critical data file for a Bitcoin crypto-currency user: if it is kept unencrypted and is stolen, cybercriminals will gain access to all Bitcoins the user has in his possession for that specific account.

Bitcoin wallet search source code with decoded strings

When the Trojan finds Bitcoin files it sends the content to a webserver

Communication code sample

The Command and Сontrol server, which used to be located in Bulgaria seems like has been shutdown is now offline.

Malware creators often using social engineering tricks and hot discussion topics to spread malware, and this is great example of an attack on a focused target audience.

저작자 표시 비영리
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

토머스 에디슨이 말했을 때 그는 그것이 일상 생활에 필수가 될 것입니다 방법을 구상하는 경우 "우리는 부자가 촛불을 점화 할 것이다 것을 전기가 너무 저렴한 것입니다,"당신이 궁금해. 에너지는 우리의 중요한 인프라의 일부로 간주되도록해야합니다. 그리고는 사이버 범죄자들에게 매력적인 대상 만드는거야.

에너지 부문에 대한 공격의 수는 증가하고 있으며 국토 안보부 (DHS) 산업용 제어 시스템 사이버 비상 대응팀 (ICS-CERT)에서보고까지 다른 중요한 인프라 부문을 ​​초과합니다. 보고서는2013 년 5 월 끝나는 8 개월 조사 모든 공격의 54 %가 에너지 기업을 대상으로 없음을 나타냅니다 - 지난 12 개월간 41 %의 증가를. 다른 분야는 중요한 인프라로 간주하고 보고서에서 중요한 제조, 17 %에 가까운 다음, 통신, 교통, 물, 원자력, 및 다른 사람의 사이에서 정부의 시설도 포함되어 있습니다.

제어 네트워크의 에너지 기업이 운영하고 프로세스가 복잡하고 끊임없이 확장하고 자동화하는 데에 의존하고 있습니다. 라우팅 프로토콜에 시리얼에서 이동하면 연결을 단순화뿐만 아니라, 공격자가 물리적으로 항목을 얻기 위해 대상에 연결 할 필요가 없기 때문에 더 큰 위험에 네트워크를 노출합니다. 사물의 인터넷은 또한 공격자가 액세스 할 사이버 보안의 새로운 취약성과 격차에 대한 점유를위한 추가 기회를 만들어, 기기의 확산에 대한 연결을 확장 할 것입니다.

NERC CIP 버전 5의 최근 통과는 기업이 네트워크에 상승 위험을 인식하고 그것을 완화하고 관리하는 방법을 모색하고 있음을 보여줍니다. 위반 당 하루에 100 만 달러의 위반 및 벌금의 광범위하고 심각한 파급 효과와 함께, 에너지 회사가 조치를 취하고있다. 그러나, 준수의 부족이 준수되는 것은 안전 인으로 간주하지 않고, 보호를 타협하면서, 정교한 표적 공격이 새로운 현실에 점에 유의하는 것이 중요합니다.

DHS 보고서는 발견 등의 물을 구멍 공격, SQL 인젝션 및 스피어 피싱 공격으로 공격자의 기술을 포함 에너지 부문을 대상으로 사건의 대부분. 이러한 방법의 두 가지가 스턱 스넷에 의해, 에어 갭도 인해 인간의 실책으로 교차되고 있듯이, 악성 코드를 소개하는 인간의 요소에 의존합니다.분명히 경계 기반 방어 및 기술을 회피하고있다. 일단 네트워크 내부의 공격자가 원하는대로 행동 할 무료입니다. 기업은 네트워크와 더 큰 공격 표면을 이용, 믿을 수있는 사용자 및 증가하는 복잡성을 가지고 이러한 고급 사이버 공격에 대처하는 새로운 방법을 식별해야합니다.

유틸리티 회사 제어 센터기업 네트워크에서 사용하기에 더욱 문제, 정보 기술을 복잡하게 (IT) 보안 솔루션은 제어 네트워크를 보호하기 위해 상호 교환 적으로 배치 될 수 없다. 두 관리 팀은 서로 다른 우선 순위가있다.제어 네트워크 운영 기술 (OT) 팀이 최초의 가용성과 안정성을 배치해야합니다 동안 IT는 일반적으로 데이터 보호에 초점을 맞추고, 사이버 보안 컨트롤은 가용성과 안정성을 희생 중요하지만하지 않습니다. 제어 네트워크가 실패 할 때, 인간의 삶, 환경 안전과 경제에 제기 진짜 위험이있다.

그래서 기능 어​​떤 종류의 에너지 기업들은 더 나은 네트워크를 제어하는​​ 향상된 공격을 방어하는 찾아야한다? 그것은 많은 기업들이 이미 사이버 보안에 상당한 자원을 할당하고 여전히 공격지고 단순히 더 많은 지출의 문제가 아니다. 그것은 "때"공격이 일어날하는 "경우"의 사고 방식을 변화의 문제이다. 정책 및 컨트롤 공격의 표면적을 감소하는 것이 필수적이지만, 위협은 여전히​​ 통과. 결과적으로, 기술은 또한 네트워크에 침투 한 위협을 검출 이해하고 중지 할 수 있어야한다. 이 에어 갭 또는 포인트 - 인 - 타임 검색 도구에 독점적으로 의존하지 않는 사이버 보안에 대한 새로운 접근 방식이 필요하지만 전체 공격의 연속체를 해결 - 이전, 도중, 그리고 공격 후.

에너지 기업들은 고유 한 요구 사항을 만족시키면서 공격의 연속체에 걸쳐 각 단계를 해결하는 데 도움이되는 다음과 같은 기능을 갖춘 솔루션을 추구해야한다.

1 단계 : 공격하기 전에 -  공격이 발생하기 전에 방어하기 위해 에너지 기업들은 전체 네트워크의 재고와 모든 사이버 자산을 필요 - 원격 단말 장치 및 프로그래머블 로직 컨트롤러와 같은 예를 들어, 응용 프로그램, 프로토콜, 사용자, 장치, . 중단의 위험을 제거하기 위해, 시스템은 인라인 않고 수동적 프로파일 제어 네트워크 할 수 있어야한다. 만 제어 네트워크에 모든 것을 알아서 정책과 그것을 방어하기 위해 컨트롤을 구약과 IT 보안 팀이 구현할 수 있습니다.

2 단계 : 공격시 -  NERC CIP 표준은 보안에 위험 기반 접근 방식을 - 위험 평가 및 관리의 초점이다. 대부분의 에너지 기업들은, 후속하는 모든 잠재적 이벤트에 배포 수동으로 위험을 평가하고 그에 따라 행동 할 수있는 사람의 팀이 없습니다. 그 결과, 그들은 자신의 특정 환경에서 위험에 약간의 포즈 이벤트를 분석하는 시간을 보낼 수 있습니다. 실제 공격, 의심스러운 활동 및 배경 잡음을 구별 영향 플래그를 제공 예를 들어, 오른쪽 컨텍스트 이벤트 통지 기술, 노력의 우선 순위를 정하고 가장 중요한 위협에 리소스를 할당하는 데 도움이됩니다.

3 단계. 공격 후 -  변함없이 공격이 성공합니다. 에너지 회사가 피해를 완화 할 수있을뿐만 아니라 공격으로부터 배울 필요가있다. 회고 보안 도움이 같은 기술은 진입 점을 식별하는 범위를 결정하는 위협을 포함, remediating와 미래의 유사한 공격에 대한 보호 기능을 업데이트하여 공격의 영향을 주 변화. 대신이 프로세스와 도구를 사용, 에너지 기업이보다 쉽게 NERC의 CIP의 준수를 증명하는 보고서를 생성하고 감사를 통과 할 수있다.

에너지 산업에 대한 공격의 궤도는 눈을 열고 계속 될 것입니다. NERC CIP 표준을 시작할 수있는 기준을 제공합니다. 그러나, 진정으로 새롭고 독특한 사이버 보안 문제를 해결하기 위해, 에너지 기업은 전체 공격의 연속 선상 보호를 증가시키는 동시에 가용성과 안정성을 유지하는 기술에 대한 접근 방식을 확장 할 필요가있다.

저작자 표시 비영리
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

Late last August, some visitors to the New York Times website received an unexpected surprise - the website was down.

The source of the interruption was not a power outage or even a denial-of-service attack. Instead, it was a battle against a DNS hijacking attempt believed to be connected to hacktivsts with the Syrian Electronic Army.

The attack was one of several in 2013 that focused on DNS (domain name system) infrastructure, and security experts don't expect this year to be all that different - meaning organizations need to stay aware of DNS security threats. 

Just last month, domain registrar and hosting provider Namecheap was hit with a distributed denial-of-service (DDoS) attack targeting its DNS platform that impacted roughly 300 sites. Beyond DDoS, attackers can also compromise a ame server and redirect DNS queries to a name server under their control. 

"DNS providers are often targets of attack because they are a central point for disrupting all services, web, mail, chat, etc. for an organization," said Michael Hamelin, lead X-Force security architect at IBM. "The DNS server is the roadmap for the Internet, and once disrupted, services that are the lifeblood of the organization such as web, mail, and chat become inaccessible. If a DNS provider goes down, it could mean that thousands of customers have their digital presence temporarily erased."

In the case of the New York Times, the attack that affected their users occurred when someone accessed a reseller account on Melbourne IT's systems and changed the DNS records for as well as other domain names such as This kind of password theft can have far-reaching implications, said Hamelin, who recommended DNS providers use two-factor authentication and "enable a restricted IP block requiring all edits to be made internally on the network."

"Organizations need to understand that just because they have outsourced their hosting and DNS, it doesn't mean that they're guaranteed that the vendor has taken adequate security precautions to provide a highly available and secure service," he said. "The organization needs to anticipate their DNS may become a target of an attack, and implement countermeasures such using two different DNS systems and/or hosting providers."

By its very nature, DNS is one of the weaker links in many infrastructures, said Vann Abernethy, senior product manager at NSFOCUS, adding that the company had seen an increase in both DDoS attacks on DNS infrastructure last year as well as the use of DNS to amplify traffic. Juxtaposed with the critical nature of its operation, its status as a weak link makes it an enticing target for attacks, he said.

"There are quite a few variants of DDoS attacks that can be executed against DNS servers, such as DNS Query Flood – a resource consumption attack aimed at a single infrastructure," Abernethy said. "And there are new ones cropping up as well."

Among those is a technique similar to a DNS amplification attack that relies on the attacker sending a query with fake subdomains that the victim DNS server cannot resolve, flooding the DNS authoritative servers it must contact, he said.

Fortunately, there are a number of actions organizations can take to improve DNS security. For starters, don't run open resolvers, advised Mark Beckett, vice president of marketing for DNS security vendor Secure64.

"Open resolvers allow anyone on the internet to query a DNS resolver, and are widely used by botnets to inflict damage," he said. "[Also] don't allow spoofed IP addresses to exit your network. Organizations should set egress filters so that only packets with IP addresses within their network address space are allowed to exit their network. This eliminates the ability of the attack to spoof any IP address that it wishes from an infected machine."

He also suggested organization use rate limiting capabilities within their DNS server if possible, and monitor the network to detect any sudden spikes in DNS packet rates or inbound or outbound DNS traffic volume.

"Early detection of an attack can allow an organization to take defensive measures (like blocking attack traffic upstream at the router or firewall) before the attack is severe enough to impact their users or their network," he said.

DNS-related attacks will continue to be a theme of 2014, Hamelin said, noting there aren't a lot of steps in place to protect organizations from a hijacked DNS server or its clients.

"Attackers are focused on ROI [return on investment] and attacking a DNS server could be a great way to have a large impact with little effort," 

저작자 표시 비영리
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

Several websites run by the Nato alliance have been knocked offline following a cyber attack from a pro-Ukrainian hacktivist group.

A group known as Cyber Berkut claimed responsibility, and were able to take down multiple Nato sites including and its main website using a distributed denial of service (DDoS) attack. The attack took place on the eve of a vote in Crimea, which favoured the region leaving the Ukraine and joining Russia.

Cyber Berkut took issue with Nato forces occupying areas of Ukraine, accusing them of spreading propaganda through the media and social networks. The group has also worked to block multiple news websites in the region, which it said are guilty of "double standards".

In a post on its website, Cyber Berkut said the ease by which it was able to take down three Nato websites reflected badly on the alliance's other operations: "If Nato cannot protect their resources, the protection of personal data of ordinary Europeans cannot be considered," it said.

Nato said that no other systems had been affected and that the integrity of the alliance's data remained secure.

DDoS attacks are often the easiest way for smaller groups to make their presence felt quickly, using botnets of hijacked computers to send a barrage of requests to web servers in order to take them down. These websites are often unprepared for such traffic and buckle under the strain.

Last year, Nato announced plans to create new teams of elite cyber defence expertsintended to deal with highly sophisticated threats, but has seemingly been unable to defend its own websites this time round.

저작자 표시 비영리
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

티스토리 툴바