Sunday, 16 March 2014

Connection Link Between Turla, Uroburos & Agent.BTZ

Experts from G-Data and BAE Systems recently released information about a persistent cyber espionage operation codenamed Turla (also referred to as Snake or Uroburos). Further to this, Kaspersky Lab's research and analysis team have now found an unexpected connection between Turla and an existing piece of malware known as Agent.BTZ.

The company "Kaspersky Lab" program analysed the relationship Turla, which is also known as Snake or Uroburos, with other known kibershpionami. After the release of reports on this threat a number of companies working in the field of IT security, many experts in the field were made ​​with the conclusion of the relationship Turla and other acclaimed at the time of malicious software - so-called Agent.BTZ.

In 2008 worm infected Agent.BTZ LANs Central Command of U.S. forces in the Middle East and was named the worst event in the history of U.S. military computer. According to some sources, the Pentagon has spent nearly 14 months to eliminate the effects of infection networks sun, and as a result of this incident provided the impetus for the creation of the U.S. Cyber ​​Command, U.S. Army internal divisions.

A malicious program supposedly created in 2007, contains the functionality to search and send valuable information from the infected computer to a remote control center. "Kaspersky Lab" first encountered the aforementioned malicious programs for Turla in March 2013 during an investigation of another incident involving the use of highly complex rootkit.

Map of infections caused by different modifications of “Agent.btz” in 2011-2013

Then in the course of the investigation specialists "Kaspersky Lab" found interesting facts indicating that apparently served as a model Agent.BTZ worm creators most technically advanced cyber weapons - Red October, Turla, as well as Flame and Gauss. Careful analysis showed that the creators of Red October, obviously knew about the functionality of the worm Agent.BTZ. Written by them in 2010-2011 module USB Stealer inter alia seeking and copies with USB-media archives with information accumulated worm and its log files. Turla, in turn, uses the same as Agent.BTZ, file names for logging their own actions, and the exact same key for encryption.

Finally, the program adheres Flame worm similar to file extensions and also stores the stolen information on USB-devices. Taking this into account, it can be argued that the creators of the aforementioned cyber-espionage campaigns thoroughly studied worm Agent.BTZ work and adopted the experience to develop their own malicious programs with similar goals. However, this makes it impossible to talk about a direct connection between the two groups of intruders.

 "Based on the data that we have, it is impossible to make such a statement. All information used by the developers of these malicious programs, was opened to the public for at least the time of creation and Flame Red October . were also not a secret and the names of files in which information accumulated worm from infected systems. Finally, the encryption key, which is identical in cases and Turla Agent.BTZ, was launched back in 2008. unknown, since when it has been applied in Turla. On the one hand, we found it in samples that were created in this and last year, on the other hand, there is information that Turla creation began in 2006, before the sample was found Agent.BTZ. Consequently, the question of communication development of cyber weapons is still open, "- concluded Aleks, the main anti-virus expert" Kaspersky Lab ".

Detail from Kaspersky Report is available: Here

No comments:

Post a Comment