{ "id": "aa09fa52-20c4-4075-aa34-0146b32d8778", "created_at": "2026-04-06T00:21:36.818054Z", "updated_at": "2026-04-10T03:33:35.490271Z", "deleted_at": null, "sha1_hash": "e70e01d19e7e928585f8e71473be562f2d6f95f9", "title": "Agent.btz: a Source of Inspiration?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 237458, "plain_text": "Agent.btz: a Source of Inspiration?\r\nBy Alexander Gostev\r\nPublished: 2014-03-12 · Archived: 2026-04-05 13:33:45 UTC\r\nThe past few days has seen an extensive discussion within the IT security industry about a cyberespionage\r\ncampaign called Turla, aka Snake and Uroburos, which, according to G-DATA experts, may have been created by\r\nRussian special services.\r\nOne of the main conclusions also pointed out by research from BAE SYSTEMS, is a connection between the\r\nauthors of Turla and those of another malicious program, known as Agent.BTZ, which infected the local networks\r\nof US military operations in the Middle East in 2008.\r\nWe first became aware of this targeted campaign in March 2013. This became apparent when we investigated an\r\nincident which involved a highly sophisticated rootkit. We called it the ‘Sun rootkit’, based on a filename used as\r\na virtual file system: sunstore.dmp, also accessible as \\.Sundrive1 and \\.Sundrive2. The ‘Sun rootkit’ and Uroburos\r\nare the same.\r\nWe are still actively investigating Turla, and we believe it is far more complex and versatile than the already\r\npublished materials suggest.\r\nAt this point, I would like to discuss the connection between Turla and Agent.btz in a little more detail.\r\nAgent.btz: a global epidemic or a targeted attack?\r\nThe story of Agent.btz began back in 2007 and was extensively covered by the mass media in late 2008 when it\r\nwas used to infect US military networks.\r\nHere is what Wikipedia has to say about it: “The 2008 cyberattack on the United States was the ‘worst breach of\r\nU.S. military computers in history’. The defense against the attack was named ‘Operation Buckshot Yankee’. It\r\nled to the creation of the United States Cyber Command.\r\nIt started when a USB flash drive infected by a foreign intelligence agency was left in the parking lot of a\r\nDepartment of Defense facility at a base in the Middle East. It contained malicious code and was put into a USB\r\nport from a laptop computer that was attached to United States Central Command.\r\nThe Pentagon spent nearly 14 months cleaning the worm, named Agent.btz, from military networks. Agent.btz, a\r\nvariant of the SillyFDC worm, has the ability ‘to scan computers for data, open backdoors, and send through those\r\nbackdoors to a remote command and control server’.”\r\nWe do not know how accurate is the story with the USB flash drive left in the parking lot. We have also heard a\r\nnumber of other versions of this story, which may, or may not be right. However, the important fact here is that\r\nAgent.btz was a self replicating computer worm, not just a Trojan. Another important fact is that the malware has\r\ndozens of different variants.\r\nhttps://securelist.com/agent-btz-a-source-of-inspiration/58551/\r\nPage 1 of 8\n\nWe believe that the initial variants of the worm were created back in 2007. By 2011 a large number of its\r\nmodifications had been detected. Today, most variants are detected by Kaspersky products as\r\nWorm.Win32.Orbina.\r\nCuriously, in accordance with the naming convention used by PC Tools, the worm is also named Voronezh.1600\r\n(http://www.threatexpert.com/report.aspx?md5=02eda1effde92bdf8462abcf40c4f776) – possibly a reference to\r\nthe mythical Voronezh school of hackers, in Russia.\r\nIn any event, it is quite obvious that the US military were not the only victims of the worm. Copying itself from\r\none USB flash drive to another, it rapidly spread globally. Although no new variants of the malware have been\r\ncreated for several years and the vulnerability enabling the worm to launch from USB flash drives using\r\n“autorun.inf” have long since been closed in newer versions of Windows, according to our data Agent.btz was\r\ndetected 13,832 times in 107 countries across the globe in 2013 alone!\r\nThe dynamics of the worm’s epidemic are also worth noting. Over three years – from 2011 to 2013 – the number\r\nof infections caused by Agent.btz steadily declined; however, the top 10 affected countries changed very little.\r\nAgent.BTZ detections (unique users) 2011\r\n1 Russian Federation 24111\r\n2 Spain 9423\r\n3 Italy 5560\r\n4 Kazakhstan 4412\r\n5 Germany 3186\r\n6 Poland 3068\r\n7 Latvia 2805\r\n8 Lithuania 2016\r\n9 United Kingdom 761\r\n10 Ukraine 629\r\nTotal countries 147\r\nTotal users 63021\r\nAgent.BTZ detections (unique users) 2012\r\n1 Russian Federation 11211\r\n2 Spain 5195\r\n3 Italy 3052\r\nhttps://securelist.com/agent-btz-a-source-of-inspiration/58551/\r\nPage 2 of 8\n\n4 Germany 2185\r\n5 Kazakhstan 1929\r\n6 Poland 1664\r\n7 Latvia 1282\r\n8 Lithuania 861\r\n9 United Kingdom 335\r\n10 Ukraine 263\r\nTotal countries 130\r\nTotal users 30923\r\nAgent.BTZ detections (unique users) 2013\r\n1 Russian Federation 4566\r\n2 Spain 2687\r\n3 Germany 1261\r\n4 Italy 1067\r\n5 Kazakhstan 868\r\n6 Poland 752\r\n7 Latvia 562\r\n8 Lithuania 458\r\n9 Portugal 157\r\n10 United Kingdom 123\r\nTotal countries 107\r\nTotal users 13832\r\nThe statistics presented above are based on the following Kaspersky Anti-Virus verdicts: Worm.Win32.Autorun.j,\r\nWorm.Win32.Autorun.bsu, Worm.Win32.Autorun.bve, Trojan-Downloader.Win32.Agent.sxi,\r\nWorm.Win32.AutoRun.lqb, Trojan.Win32.Agent.bve, Worm.Win32.Orbina\r\nTo summarize the above, the Agent.btz worm has clearly spread all over the world, with Russia leading in terms of\r\nthe number of infections for several years.\r\nhttps://securelist.com/agent-btz-a-source-of-inspiration/58551/\r\nPage 3 of 8\n\nMap of infections caused by different modifications of “Agent.btz” in 2011-2013\r\nFor detailed information on the modus operandi of Agent.btz, I recommend reading an excellent report prepared\r\nby Sergey Shevchenko from ThreatExpert, back in November 2008.\r\nOn infected systems, the worm creates a file named ‘thumb.dd’ on all USB flash drives connected to the computer,\r\nusing it to store a CAB file containing the following files: “winview.ocx”, “wmcache.nld” and “mswmpdat.tlb”.\r\nThese files contain information about the infected system and the worm’s activity logs for that system. Essentially,\r\n“thumb.dd” is a container for data which is saved on the flash drive, unless it can be sent directly over the Internet\r\nto the C\u0026C server.\r\nIf such a flash drive is inserted into another computer infected with Orbina, the file “thumb.dd” will be copied to\r\nthe computer under the name “mssysmgr.ocx”.\r\nGiven this functionality and the global scale of the epidemic caused by the worm, we believe that there are tens of\r\nthousands of USB flash drives in the world containing files named “thumb.dd” created by Agent.btz at some point\r\nin time and containing information about systems infected by the worm.\r\nRed October: a data collector?\r\nhttps://securelist.com/agent-btz-a-source-of-inspiration/58551/\r\nPage 4 of 8\n\nOver one year ago, we analyzed dozens of modules used by Red October, an extremely sophisticated cyber\r\nespionage operation. While performing the analysis, we noticed that the list of files that a module named “USB\r\nStealer” searches for on USB flash drives connected to infected computers included the names of files created by\r\nAgent.btz “mssysmgr.ocx” and “thumb.dd”.\r\nThis means that Red October developers were actively looking for data collected several years previously by\r\nAgent.btz. All the USB Stealer modules known to us were created in 2010-2011.\r\nBoth Red October and Agent.btz were, in all probability, created by Russian-speaking malware writers. One\r\nprogram “knew” about the files created by the other and tried to make use of them. Are these facts sufficient to\r\nconclude that there was a direct connection between the developers of the two malicious programs?\r\nI believe they are not.\r\nFirst and foremost, it should be noted that the fact that the file “thumb.dd” contains data from Agent.btz-infected\r\nsystems was publicly known. It is not impossible that the developers of Red October, who must have been aware\r\nof the large number of infections caused by Agent.btz and of the fact that the worm had infected US military\r\nnetworks, simply tried to take advantage of other people’s work to collect additional data. It should also be\r\nremembered that Red October was a tool for highly targeted pinpoint attacks, whereas Agent.btz was a worm, by\r\ndefinition designed to spread uncontrollably and “collect” any data it could access.\r\nBasically, any malware writer could add scanning of USB flash drives for “thumb.dd” files and the theft of those\r\nfiles to their Trojan functionality. Why not steal additional data without too much additional effort? However,\r\ndecrypting the data stolen requires one other thing – the encryption key.\r\nAgent.btz and Turla/Uroburos\r\nThe connection between Turla and Agent.btz is more direct, although not sufficiently so to conclude that the two\r\nprograms have the same origin.\r\nhttps://securelist.com/agent-btz-a-source-of-inspiration/58551/\r\nPage 5 of 8\n\nTurla uses the same file names as Agent.btz – “mswmpdat.tlb”, “winview.ocx” and “wmcache.nld” for its log files\r\nstored on infected systems.\r\nAll the overlapping file names are presented in the table below:\r\nAgent.btz Red October Turla\r\nLog files thumb.dd thumb.dd\r\nwinview.ocx winview.ocx\r\nmssysmgr.ocx mssysmgr.ocx\r\nwmcache.nld wmcache.nld\r\nmswmpdat.tlb mswmpdat.tlb\r\nfa.tmp fa.tmp\r\nIn addition, Agent.btz and Turla use the same XOR key to encrypt their log files:\r\n1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6\r\nas80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s\r\nThe key is not a secret, either: it was discovered and published back in 2008 and anybody who had an interest in\r\nthe Agent.btz story knew about the key. Is it possible that the developers of Turla decided to use somebody else’s\r\nkey to encrypt their logs? We are as yet unable to determine at what point in time this particular key was adopted\r\nfor Turla. It is present in the latest samples (dated 2013-2014), but according to some data the development of\r\nTurla began back in 2006 – before the earliest known variant of Agent.btz was created.\r\nRed October and Turla\r\nNow we have determined that Red October “knew” about the file names used by Agent.btz and searched for them.\r\nWe have also determined that Turla used the same file names and encryption key as Agent.btz.\r\nSo what about a possible connection between Red October and Turla? Is there one? Having analyzed all the data\r\nat our disposal, we do not see any overlapping between the two projects. They do not “know” about each other,\r\nthey do not communicate between themselves in any way, they are different in terms of their architecture and the\r\ntechnologies used.\r\nThe only thing they really have in common is that the developers of both Rocra and Turla appear to have Russian\r\nas their native language.\u003c?\r\nWhat about Flame?\r\nBack in 2012, while analyzing Flame and its cousins Gauss and MiniFlame, we noticed some similarities between\r\nthem and Agent.btz (Orbina). The first thing we noticed was the analogous naming convention applied, with a\r\nhttps://securelist.com/agent-btz-a-source-of-inspiration/58551/\r\nPage 6 of 8\n\npredominance of use of files with the .ocx extension. Let’s take as an example the name of the main module of\r\nFlame – “mssecmgr.ocx”. In Agent.btz a very similar name was used for the log-file container on the infected\r\nsystem – “mssysmgr.ocx”. And in Gauss all modules were in the form of files with names *.ocx.\r\nFeature Flame Gauss\r\nEncryption methods XOR XOR\r\nUsing USB as storage Yes (hub001.dat) Yes (.thumbs.db)\r\nThe Kurt/Godel module in Gauss contains the following functionality: when a drive contains a ‘.thumbs.db’ file,\r\nits contents are read and checked for the magic number 0xEB397F2B. If found, the module creates\r\n%commonprogramfiles%systemwabdat.dat and writes the data to this file, and then deletes the ‘.thumbs.db’ file.\r\nThis is a container for data stolen by the ‘dskapi’ payload.\r\nBesides, MiniFlame (module icsvnt32) also ‘knew’ about the ‘.thumbs.db’ file, and conducted a search for it on\r\nUSB sticks.\r\nIf we recall how our data indicate that the development of both Flame and Gauss started back in 2008, it can’t be\r\nruled out that the developers of these programs were well acquainted with the analysis of Agent.btz and possibly\r\nused some ideas taken from it in their development activities.\r\nAll together now\r\nThe data can be presented in the form of a diagram showing the interrelations among all the analyzed malicious\r\nprograms:\r\nhttps://securelist.com/agent-btz-a-source-of-inspiration/58551/\r\nPage 7 of 8\n\nAs can be seen in the diagram, the developers of all three (even four, if we include Gauss) spy programs knew\r\nabout Agent.btz, i.e., about how it works and what filenames it uses, and used that information either to directly\r\nadopt the functionality, ideas and even filename, or attempted to use the results of the work of Agent.btz.\r\nSummarizing all the above, it is possible to regard Agent.btz as a certain starting point in the chain of creation of\r\nseveral different cyber-espionage projects. The well-publicized story of how US military networks were infected\r\ncould have served as the model for new espionage programs having similar objectives, while its technologies were\r\nclearly studied in great detail by all interested parties. Were the people behind all these programs all the same? It’s\r\npossible, but the facts can’t prove it.\r\nSource: https://securelist.com/agent-btz-a-source-of-inspiration/58551/\r\nhttps://securelist.com/agent-btz-a-source-of-inspiration/58551/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://securelist.com/agent-btz-a-source-of-inspiration/58551/" ], "report_names": [ "58551" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434896, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e70e01d19e7e928585f8e71473be562f2d6f95f9.pdf", "text": "https://archive.orkl.eu/e70e01d19e7e928585f8e71473be562f2d6f95f9.txt", "img": "https://archive.orkl.eu/e70e01d19e7e928585f8e71473be562f2d6f95f9.jpg" } }