In 2008, a very powerful variant of the infamous ‘Agent’ worm hit local computing networks of the U.S. Army central command in the Middle East. It was classified as the worst computing hack in the history of the U.S. Army. Pentagon experts took 14 months to completely remove the malware from the military network. That malicious code was in fact the cause that led to the establishment of the U.S. Cyber Command. The worm that was generated in 2007, held the ability to scan for sensitive information on computers and send it to remote command and control servers.
In March, 2013 a cyber-espionage campaign was discovered, involving the malware ‘Turla’ (AKA: ‘Snake’ and ‘Uroburos’) that used very sophisticated rootkit technology, that became known as the ‘Sun rootkit’, because of the file name ‘sunstore.dmp’ that was used as virtual file system by the rootkit.
That rootkit technology as well as other functionalities show an interesting relationship between these variants of ‘Turla’ and ‘Agent’. It seems as the last was the inspiration for creating a whole range of cyber-espionage tools that are considered the most sophisticated today, including ‘Red October’, ‘Turla’ and ‘Flame-Gauss’.
‘Red October’ developers clearly knew about the capabilities of ‘Agent’ when they developed the USB Stealer module (2010-2011 ) that searches for files containing the worm data (mssysmgr.ocx and thumb.dd) that includes information about infected systems and logs of activity, then steals them from the connected USB drive.
It seems like ‘Turla’ uses the same file names for its logs (mswmpdat.tlb , winview.ocx and wmcach.nld). It also uses the same encryption XOR key for its log files, as does ‘Agent’.
‘Flame-Gauss’ use the same naming structure such as ocx files or thumb.db. They also use a USB drive storage for the stolen information.
Given these facts, it is clear that the developers of the four different campaigns studied in depth the ‘Agent’ variant. They tried to understand how it works and use the information as a model for developing their malicious code, all of which have similar objectives. But what does the connection between the developers of these spy tools mean?
Although it is not possible to draw firm conclusions based on these facts alone, the information that was used by the developers was in fact accessible to the public during ‘Red October’ and ‘Flame-Gauss’ generation. Add to the fact that ‘Agent’ used the file thumb.dd as storage for collecting information from infected systems, and used the same XOR key that was used by ‘Turla’ developers in order to encrypt their logs. It is unclear when this encryption key first came into use, but it is clearly seen in recent variants of the malicious code created in 2013-2014. Meanwhile, there is some evidence that points to the beginning of the development of ‘Turla’ in 2006, before the first exposure of the ‘Agent’ variant, which leaves some unanswered questions.