Agent.btz, built to scan computers for data and open backdoors, has a storied history. It began life back in 2007, but came to notoriety in late 2008 when it was used to infect US military networks. The attack supposedly started when a USB flash drive infected by a foreign intelligence agency was left in the parking lot of a Department of Defense facility at a base in the Middle East. It contained malicious code and was put into a USB port from a laptop computer that was attached to United States Central Command.
The Pentagon spent nearly 14 months cleaning the worm, in what it dubbed “Operation Buckshot Yankee.” Eventually, the attack led to the creation of the United States Cyber Command.
“We do not know how accurate the story with the USB flash drive left in the parking lot [is],” said Alexander Gostev, a Kaspersky researcher, in a blog. “We have also heard a number of other versions of this story, which may or may not be right. However, the important fact here is that Agent.btz was a self-replicating computer worm, not just a Trojan. Another important fact is that the malware has dozens of different variants.”
In fact, by 2011 a large number of its modifications had been detected. Yet copying itself from one USB flash drive to another, it rapidly spread globally and persists to this day.
“Although no new variants of the malware have been created for several years and the vulnerability enabling the worm to launch from USB flash drives using ‘autorun.inf’ have long since been closed in newer versions of Windows, according to our data Agent.btz was detected 13,832 times in 107 countries across the globe in 2013 alone,” Gostev said, the majority of them in the Russian Federation.
On infected systems, the Agent.btz worm creates a file named “thumb.dd” on all USB flash drives connected to the computer, using it to store information about the infected system and the worm’s activity logs. Given this functionality and the global scale of the epidemic caused by the worm, Kaspersky believes that there are tens of thousands of USB flash drives in the world containing files named “thumb.dd” created by Agent.btz at some point in time and containing information about systems infected by the worm.
While performing the Red October analysis, Kaspersky researchers noticed that a module named “USB Stealer” searches for the names of the files created by Agent.btz on USB flash drives connected to infected computers.
“This means that Red October developers were actively looking for data collected several years previously by Agent.btz,” said Gostev.
The fact that the file “thumb.dd” contains data from Agent.btz-infected systems was publicly known. Gostev said that it’s likely that the developers of Red October, who must have been aware of the large number of infections caused by Agent.btz and of the fact that the worm had infected US military networks, simply tried to take advantage of other people’s work to collect additional data.
“It should also be remembered that Red October was a tool for highly targeted pinpoint attacks, whereas Agent.btz was a worm, by definition designed to spread uncontrollably and collect any data it could access,” said Gostev. “Why not steal additional data without too much additional effort?”
Clearly, Agent.btz could be seen as a certain starting point in the chain of creation of several different cyber-espionage projects. But Gostev cautions against concluding that the actors behind the two are the same: “The well-publicized story of how US military networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties,” he said. “Were the people behind all these programs all the same? It’s possible, but the facts can’t prove it.”