Agent.BTZ is an advanced malware, used to steal information from compromised networks. This malware was discovered in 2008 to have infected US Army and Department of Defense computers. Following the original infection of a military computer through a USB drive, it took the US Army and Department of Defense fourteen months to remove it from its networks, and this incident was a main driver behind the establishment of the US cyber command.
Recently, the activity of a highly sophisticated rootkit malware nicknamed Snake (also known as Turla and Uroburos) was revealed. The malware, used to infect networks and steal information, is assumed to be the work of the same creator as Agent.BTZ, based on several similarities between the two. Snake, like Agent.BTZ, mainly targeted government and military organizations in countries of the Former Soviet Union, the EU, the US and the UK. The malware has been used continuously since 2005 and has a high degree of stealth (being able to operate undetected on a computer for a long time). Two variants of the malware have been uncovered so far: one has been operating since 2005, and the other since 2011. The main difference between the variants is whether they carry out their network communications through the kernel or user level of the computer.
As shown in our post on the Mask APT malware, creators of advanced and sophisticated malware, even state-backed APTs, fall back on earlier creations and reuse both code and methods in the new versions they create, while adapting them to the different security measures. This practice is nearly inevitable since such tools are built using the same organizational concepts, and therefore will need the same types of exploits, techniques, and code. The fact that the team responsible for Agent.BTZ continued to operate after its detection, with similar code and techniques, and attacked similar targets so many years after it was first exposed, demonstrates how malware reuse serves to increase the attacker-defender imbalance in today’s cyber-security.
Code and Method Reuse in Snake
This malware is no different – every step of the way, both of Snake’s variants reuse code and methods to communicate and exfiltrate information from the computer. The first instance of code reuse happens right after Snake is installed on the computer, when it registers drivers in the kernel. The malware downloads the driver in encrypted form from the C&C server, and decrypts it reusing the same XOR key used in Agent.BTZ.
The second example of code reuse comes when Snake attempts to register its driver on 64-bit computers. In order to bypass Windows 64-bit code integrity control (in Windows Vista, 7 & 8), the malware reuses a known exploit in old Oracle virtualbox software that, having a signed driver itself, allows other unsigned drivers to be installed on the computer. In order to be able to reuse the known exploit, the attackers actually install an old version of the virtualbox driver. This example shows to what lengths attackers go in order to reuse existing exploits, and avoid developing new ones. As part of the process, the malware also reuses exploits MS09-25 and MS10-15, used in the Red October malware, to gain administrator privileges.
After installing the driver, the malware reuses concepts and the methods used in previous rootkit malware, to allow it to collect information undetected. First it carries out API hooking, in order to disable tools that would otherwise prevent its actions (such as IDT). Next the driver creates virtual file volumes, where the information it collects is stored. The names of these volumes (mswmpdat.tlb, wmcache.nld, winview.ocx) are identical to those created in Agent.BTZ. This might indicate the reuse of the module responsible for creating the virtual file volumes. The volumes are also stored in $NtUninstall type files – a method used in other malwares.
The second method reuse, that appears in the kernel level variant, is to register drivers on different network filters used by the computer (WFP, TDI, NDIS). These drivers allow the malware to follow and exploit all the computers network communications – filtering commands sent to it and injecting information that is sent back to the command and control servers.
Following the driver registration, comes a third method reuse – the malware injects DLLs into the computers web browser’s address space. This allows the downloading of a reconnaissance tool from the Command and Control server that collects information on the computer and other computers in the network (the OS version, the installed network services etc.). In the user level variant, these DLLs also carry out the network communications with the C&C server. Thus, the communication with the C&C server and the operations on the computer are masked by the browsers network traffic and operations, making them seem legitimate.
Reuse is Essential to State-Backed Malware
What the Snake malware highlights, is that the reuse of code and methods is essential in enabling state organizations and agencies to carry out long-term, large-scale, sophisticated and complex cyber operations. The many levels of attack, and the ever present danger of discovery, while stealthily operating in sensitive targets, requires constant development of new tools. Being part of the same organizational structure and operations, the development of these tools is inevitably based on the tools used before it. The bottom line? There is a very good chance that advanced methods and code seen in one state-sponsored malware, will be seen again in the next generation of malware created by the same organization.