Agent.BTZ

Last updated
Agent.btz
Common nameAgent.btz
Aliases
Author(s)Unknown

Agent.BTZ, also named Autorun, [1] [2] is a computer worm that infects USB flash drives with spyware. A variant of the SillyFDC worm, [3] it was used in a massive 2008 cyberattack on the US military, infecting 300,000 computers.

Contents

Technical description

The Agent.BTZ worm is a DLL file, written in assembler (x86-32 bit). [4] It spreads by creating an AUTORUN.INF file to the root of each drive with the DLL file. [5] It has the ability "to scan computers for data, open backdoors, and send through those backdoors to a remote command and control server." [3]

History

In 2008, at a US military base in the Middle East, a USB flash drive infected with Agent.BTZ was inserted into a laptop attached to United States Central Command. From there it spread undetected to other systems, both classified and unclassified. [6] In order to try and stop the spread of the worm, the Pentagon banned USB drives and removable media devices. They also disabled the Windows autorun feature on their computers. [3] The Pentagon spent nearly 14 months cleaning the worm from military networks. [3]

Attribution

Chinese hackers were thought to be behind the attack because they had used the same code that made up Agent.BTZ in previous attacks. [7] According to an article in The Economist , "it is not clear that agent.btz was designed specifically to target military networks, or indeed that it comes from either Russia or China." [8] An article in the Los Angeles Times reported that US defense officials described the malicious software as "apparently designed specifically to target military networks." It's "thought to be from inside Russia", although it was not clear "whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement." [9]

In 2010, American journalist Noah Shachtman wrote an article to investigate the theory that the worm was written by a single hacker. [3] Later analyses by Kaspersky Lab found relations to other spyware, including Red October, Turla, and Flame. [10]

In December 2016, the United States FBI and DHS issued a Joint Analysis Report which included attribution of Agent.BTZ to one or more "Russian civilian and military intelligence Services (RIS)." [11]

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on the law of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

mydoom also known as, my.doom, W32.MyDoom@mm, Novarg, Mimail.R, Shimgapi, W32/Mydoom@MM, WORM_MYDOOM, Win32.Mydoom is a computer worm affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by the Sobig worm and ILOVEYOU, a record which as of 2023 has yet to be surpassed.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Moonlight Maze was a 1999 US government investigation into a massive data breach of classified information. It started in 1996 and affected NASA, the Pentagon, military contractors, civilian academics, the DOE, and numerous other American government agencies. By the end of 1999, the Moonlight Maze task force was composed of forty specialists from law enforcement, military, and government. The investigators claimed that if all the information stolen was printed out and stacked, it would be three times the height of the Washington Monument, which is 555 ft (169 m) tall. The Russian government was blamed for the attacks, although there was initially little hard evidence to back up the US accusations besides a Russian IP address that was traced to the hack. Moonlight Maze represents one of the first widely known cyber espionage campaigns in world history. It was even classified as an Advanced Persistent Threat after two years of constant assault. Although Moonlight Maze was regarded as an isolated attack for many years, unrelated investigations revealed that the threat actor involved in the attack continued to be active and employ similar methods until as recently as 2016.

RavMonE, also known as RJump, is a Trojan that opens a backdoor on computers running Microsoft Windows. Once a computer is infected, the virus allows unauthorized users to gain access to the computer's contents. This poses a security risk for the infected machine's user, as the attacker can steal personal information, and use the computer as an access point into an internal network.

In computer security, MPack is a PHP-based malware kit produced by Russian crackers. The first version was released in December 2006. Since then a new version is thought to have been released roughly every month. It is thought to have been used to infect up to 160,000 PCs with keylogging software. In August 2007 it was believed to have been used in an attack on the web site of the Bank of India which originated from the Russian Business Network.

Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage capacities.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Daprosy worm was a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.

In 2008, the United States Department of Defense was infected with malware. Described at the time as the "worst breach of U.S. military computers in history", the defense against the attack was named "Operation Buckshot Yankee". It led to the creation of the United States Cyber Command.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Cyber-collection refers to the use of cyber-warfare techniques in order to conduct espionage. Cyber-collection activities typically rely on the insertion of malware into a targeted network or computer in order to scan for, collect and exfiltrate sensitive information.

Blackshades is a malicious trojan horse used by hackers to control infected computers remotely. The malware targets computers using operating systems based on Microsoft Windows. According to US officials, over 500,000 computer systems have been infected worldwide with the software.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); this view is shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Dorkbot is a family of malware worms that spreads through instant messaging, USB drives, websites or social media channels like Facebook. It originated in 2015 and infected systems were variously used to send spam, participate in DDoS attacks, or harvest users' credentials.

References

  1. Shevchenko, Sergei (30 November 2008). "Agent.btz - A Threat That Hit Pentagon". ThreatExpert Blog. Retrieved 14 December 2016.
  2. "W32/Autorun.worm.dw - Malware". McAfee Labs Threat Center. 21 November 2008. Retrieved 14 December 2016.
  3. 1 2 3 4 5 Shachtman, Noah (25 August 2010). "Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack". Wired. Retrieved 14 December 2016.
  4. "Agent.BTZ - Virus Information". Panda Security. Retrieved 14 December 2016.
  5. "Worm:W32/Agent.BTZ Description". F-Secure Labs. Retrieved 14 December 2016.
  6. William J. Lynn III. "Defending a New Domain". Foreign Affairs . Retrieved 2010-08-25.
  7. Leyden, John (20 November 2008). "US Army bans USB devices to contain worm". The Register. Retrieved 14 December 2016.
  8. "The worm turns". The Economist. 4 December 2008. Retrieved 14 December 2016.
  9. Barnes, Julian E. (28 November 2008). "Pentagon computer networks attacked". Los Angeles Times. Retrieved 14 December 2016.
  10. Gostev, Alexander (12 March 2014). "Agent.btz: a Source of Inspiration?". Securelist. Retrieved 19 May 2020.
  11. "GRIZZLY STEPPE – Russian Malicious Cyber Activity" (PDF). US CERT. Retrieved 2 March 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.