A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic.
The past few days has seen an extensive discussion within the IT security industry about a cyberespionage campaign called Turla, aka Snake and Uroburos, which, according to G-DATA experts, may have been created by Russian special services.
One of the main conclusions also pointed out by research from BAE SYSTEMS, is a connection between the authors of Turla and those of another malicious program, known as Agent.BTZ, which infected the local networks of US military operations in the Middle East in 2008.
We first became aware of this targeted campaign in March 2013. This became apparent when we investigated an incident which involved a highly sophisticated rootkit. We called it the Sun rootkit, based on a filename used as a virtual file system: sunstore.dmp, also accessible as \\.\Sundrive1 and \\.\Sundrive2. The Sun rootkit and Uroburos are the same.
We are still actively investigating Turla, and we believe it is far more complex and versatile than the already published materials suggest.
At this point, I would like to discuss the connection between Turla and Agent.btz in a little more detail.
The story of Agent.btz began back in 2007 and was extensively covered by the mass media in late 2008 when it was used to infect US military networks.
Here is what Wikipedia has to say about it: The 2008 cyberattack on the United States was the worst breach of U.S. military computers in history. The defense against the attack was named Operation Buckshot Yankee. It led to the creation of the United States Cyber Command.
It started when a USB flash drive infected by a foreign intelligence agency was left in the parking lot of a Department of Defense facility at a base in the Middle East. It contained malicious code and was put into a USB port from a laptop computer that was attached to United States Central Command.
The Pentagon spent nearly 14 months cleaning the worm, named Agent.btz, from military networks. Agent.btz, a variant of the SillyFDC worm, has the ability to scan computers for data, open backdoors, and send through those backdoors to a remote command and control server.
We do not know how accurate is the story with the USB flash drive left in the parking lot. We have also heard a number of other versions of this story, which may, or may not be right. However, the important fact here is that Agent.btz was a self replicating computer worm, not just a Trojan. Another important fact is that the malware has dozens of different variants.
We believe that the initial variants of the worm were created back in 2007. By 2011 a large number of its modifications had been detected. Today, most variants are detected by Kaspersky products as Worm.Win32.Orbina.
Curiously, in accordance with the naming convention used by PC Tools, the worm is also named Voronezh.1600 possibly a reference to the mythical Voronezh school of hackers, in Russia.
In any event, it is quite obvious that the US military were not the only victims of the worm. Copying itself from one USB flash drive to another, it rapidly spread globally. Although no new variants of the malware have been created for several years and the vulnerability enabling the worm to launch from USB flash drives using autorun.inf have long since been closed in newer versions of Windows, according to our data Agent.btz was detected 13,832 times in 107 countries across the globe in 2013 alone!
The dynamics of the worms epidemic are also worth noting. Over three years from 2011 to 2013 the number of infections caused by Agent.btz steadily declined; however, the top 10 affected countries changed very little.
|Agent.BTZ detections (unique users)||2011|
|Agent.BTZ detections (unique users)||2012|
|Agent.BTZ detections (unique users)||2013|
The statistics presented above are based on the following Kaspersky Anti-Virus verdicts: Worm.Win32.Autorun.j, Worm.Win32.Autorun.bsu, Worm.Win32.Autorun.bve, Trojan-Downloader.Win32.Agent.sxi, Worm.Win32.AutoRun.lqb, Trojan.Win32.Agent.bve, Worm.Win32.Orbina
To summarize the above, the Agent.btz worm has clearly spread all over the world, with Russia leading in terms of the number of infections for several years.
Map of infections caused by different modifications of Agent.btz in 2011-2013
For detailed information on the modus operandi of Agent.btz, I recommend reading an excellent report prepared by Sergey Shevchenko from ThreatExpert, back in November 2008.
On infected systems, the worm creates a file named thumb.dd on all USB flash drives connected to the computer, using it to store a CAB file containing the following files: winview.ocx, wmcache.nld and mswmpdat.tlb. These files contain information about the infected system and the worms activity logs for that system. Essentially, thumb.dd is a container for data which is saved on the flash drive, unless it can be sent directly over the Internet to the C&C server.
If such a flash drive is inserted into another computer infected with Orbina, the file thumb.dd will be copied to the computer under the name mssysmgr.ocx.
Given this functionality and the global scale of the epidemic caused by the worm, we believe that there are tens of thousands of USB flash drives in the world containing files named thumb.dd created by Agent.btz at some point in time and containing information about systems infected by the worm.
Over one year ago, we analyzed dozens of modules used by Red October, an extremely sophisticated cyber espionage operation. While performing the analysis, we noticed that the list of files that a module named USB Stealer searches for on USB flash drives connected to infected computers included the names of files created by Agent.btz mssysmgr.ocx and thumb.dd.
This means that Red October developers were actively looking for data collected several years previously by Agent.btz. All the USB Stealer modules known to us were created in 2010-2011.
Both Red October and Agent.btz were, in all probability, created by Russian-speaking malware writers. One program knew about the files created by the other and tried to make use of them. Are these facts sufficient to conclude that there was a direct connection between the developers of the two malicious programs?
I believe they are not.
First and foremost, it should be noted that the fact that the file thumb.dd contains data from Agent.btz-infected systems was publicly known. It is not impossible that the developers of Red October, who must have been aware of the large number of infections caused by Agent.btz and of the fact that the worm had infected US military networks, simply tried to take advantage of other peoples work to collect additional data. It should also be remembered that Red October was a tool for highly targeted pinpoint attacks, whereas Agent.btz was a worm, by definition designed to spread uncontrollably and collect any data it could access.
Basically, any malware writer could add scanning of USB flash drives for thumb.dd files and the theft of those files to their Trojan functionality. Why not steal additional data without too much additional effort? However, decrypting the data stolen requires one other thing the encryption key.
The connection between Turla and Agent.btz is more direct, although not sufficiently so to conclude that the two programs have the same origin.
Turla uses the same file names as Agent.btz mswmpdat.tlb, winview.ocx and wmcache.nld for its log files stored on infected systems.
All the overlapping file names are presented in the table below:
In addition, Agent.btz and Turla use the same XOR key to encrypt their log files:
The key is not a secret, either: it was discovered and published back in 2008 and anybody who had an interest in the Agent.btz story knew about the key. Is it possible that the developers of Turla decided to use somebody elses key to encrypt their logs? We are as yet unable to determine at what point in time this particular key was adopted for Turla. It is present in the latest samples (dated 2013-2014), but according to some data the development of Turla began back in 2006 before the earliest known variant of Agent.btz was created.
Now we have determined that Red October knew about the file names used by Agent.btz and searched for them. We have also determined that Turla used the same file names and encryption key as Agent.btz.
So what about a possible connection between Red October and Turla? Is there one? Having analyzed all the data at our disposal, we do not see any overlapping between the two projects. They do not know about each other, they do not communicate between themselves in any way, they are different in terms of their architecture and the technologies used.
The only thing they really have in common is that the developers of both Rocra and Turla appear to have Russian as their native language.
Back in 2012, while analyzing Flame and its cousins Gauss and MiniFlame, we noticed some similarities between them and Agent.btz (Orbina). The first thing we noticed was the analogous naming convention applied, with a predominance of use of files with the .ocx extension. Lets take as an example the name of the main module of Flame mssecmgr.ocx. In Agent.btz a very similar name was used for the log-file container on the infected system mssysmgr.ocx. And in Gauss all modules were in the form of files with names *.ocx.
|Using USB as storage||Yes (hub001.dat)||Yes (.thumbs.db)|
The Kurt/Godel module in Gauss contains the following functionality: when a drive contains a '.thumbs.db' file, its contents are read and checked for the magic number 0xEB397F2B. If found, the module creates %commonprogramfiles%\system\wabdat.dat and writes the data to this file, and then deletes the '.thumbs.db' file.
This is a container for data stolen by the 'dskapi' payload.
Besides, MiniFlame (module icsvnt32) also knew about the .thumbs.db file, and conducted a search for it on USB sticks.
If we recall how our data indicate that the development of both Flame and Gauss started back in 2008, it cant be ruled out that the developers of these programs were well acquainted with the analysis of Agent.btz and possibly used some ideas taken from it in their development activities.
The data can be presented in the form of a diagram showing the interrelations among all the analyzed malicious programs:
As can be seen in the diagram, the developers of all three (even four, if we include Gauss) spy programs knew about Agent.btz, i.e., about how it works and what filenames it uses, and used that information either to directly adopt the functionality, ideas and even filename, or attempted to use the results of the work of Agent.btz.
Summarizing all the above, it is possible to regard Agent.btz as a certain starting point in the chain of creation of several different cyber-espionage projects. The well-publicized story of how US military networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties. Were the people behind all these programs all the same? Its possible, but the facts cant prove it.
Over the past week or so I've been to TrustyCon, Jeffrey Carr's town-hall debate on Privacy v National Security and Georgetown's conference on International Engagement on Cyber. All these conferences had trust as a major focal point. Trust in the internet. During the course of the last nine months in particular that trust has been eroded and replaced with suspicion. How do we fix this?
Overall, I really enjoyed some great discussions at these events. The town-hall debate did the best job at getting people from all sides to the table, which is something we need to see more of.
It was five years ago when a group of computer security enthusiasts decided to gather together and organize a security conference mainly for a Spanish-speaking audience.
Last week RootedCon celebrated its fifth birthday, gathering more than 1000 attendees. It is now firmly established as the most important security event in Spain.
The now-notorious arsenal of ‘Nigerian’ tricks has been enriched with yet a new scam.
A Peter Gamba (or Gamaba?) from Uganda is asking for help: in his homeland he faces the threat of persecution for his sexual orientation. The sender claims he is threatened with jail or even death. But he has money - $3,300,000. The message then follows the usual scenario – you take his money, put it to your bank account and get 20% of it in return for your help.
Offers to work as a mystery shopper are a common trick used by fraudsters. They give you a chance to work in your free time, and if you agree, they send you a fake check with a huge sum of money, which is supposed to compensate the costs of goods and research. Any remaining money left over after the work is returned to the fraudsters. When the bank annuls the check as a fake, the secret shopper is left out of pocket.
But as users become more aware of online dangers, scammers have had to resort to various types of tricks to achieve their goals, such as disguising scammer mailings as a mailing from a large company specializing in working with secret shoppers. The message, sent on behalf of Mystery Shopper Inc., prompted the user to look at a description of the vacancy, but the attached link led to another resource that also specializes in this type of market research.
The real address of the scammer’s page was revealed after clicking the attached link. Obviously, it had nothing to do with Mystery Shopper Inc. official resources.
Over the last few months I have been closely monitoring so-called Darknet resources, mostly the Tor network. And one thing that is immediately obvious is that the cybercriminal element is growing. Although, the Tor infrastructure and cybercriminal resources are not on the same scale as the conventional Internet, we managed to find approximately 900 hidden services online at the current time. There are also approximately 5,500 nodes in total and 1,000 exit nodes, but the possibility of creating an anonymous and abuse-free underground forum, market or malware C&C server is attracting more and more criminals to the Tor network.
Cybercriminals have started actively using Tor to host malicious infrastructure. We found Zeus with Tor capabilities, then we detected ChewBacca and finally we analyzed the first Tor Trojan for Android. A quick look at Tor network resources reveals lots of resources dedicated to malware – C&C servers, admin panels, etc.
Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate.
In January we detected a phishing mailing that was sent on behalf of Apple. The messages contained an offer to purchase a card giving a discount of 150 euros in any European AppStore for only 9 euros. The senders also underlined that only valued customers were eligible to receive the card.
To place an order for the card, Apple fans had to open an attached HTML page and fill in all the fields, such as information about the user’s bank card, including the three-digit security code stated on the reverse of the card.
In exchange, the scammers promised to send a discount card via email within 24 hours. But evidently it was just another scam to trick users. The fraudsters also used the Apple logo and automated subscriptions at the end of the message to confuse victims.
The scammers didn’t just target logins and passwords for personal accounts but also users’ banking information, and in order to achieve their goal they are willing to promise anything. Inexperienced users may find it difficult to see through the fraud, but requests for confidential bank information or data that gives access to personal accounts are a clear sign of a phishing scam.
On February 17th (MON) - 18th (TUE), 2014 we were at an event in Tokyo called CODE BLUE, a new international information security conference originating from Japan.
Even though this conference was being held for the first time, no less than 400 visitors attended, with people coming from about 10 different countries.
The overall atmosphere at the event was kind and friendly and everything seemed to go smooth and swiftly.
Topics on the first day were the keynote by Jeff Moss, followed by presentations about The Current State of Automotive Security, A Security Barrier Device, Remote linux exploits and hard-/software related hard disk matters.
For the Japanese speakers among you theres a more detailed review of the event here.
No doubt it's been a crazy week for anyone even remotely interested in Bitcoin. Mt. Gox, once the largest Bitcoin marketplace out there, has shut down, putting a bitter end to an almost month-long situation in which all withdrawals were halted because of technical issues.
Mt. Gox BTC price evolution in February 2014, source: Clark Moody
As customers were unable to move their funds out from Mt. Gox, the world's most famous exchange essentially became isolated from the rest of the Bitcoin ecosystem, making the Bitcoin price traded on Mt. Gox plummet to as low as $100 for 1 BTC before the exchange went completely offline.
In our forecast for 2014, we've stated that attacks on Bitcoin, specifically attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year. These attacks will be especially popular with the fraudsters as their cost-to-income ratio is very favorable.
While the Mt. Gox incident might be the most significant in Bitcoin history to-date, as it is rumored to be worth 744,408 Bitcoins, or more than $300 million at current BTC prices, the only question that remains unanswered is what actually caused it.