Why Was the Dissection of Snake Malware pulled from the Black Hat Conference?

I can’t answer this question precisely, so I am going to have to speculate a bit in this post. One thing is for sure, I don’t accept the official BAE explanation. “We are not now speaking on this at Black Hat as we are in the midst of writing a new report on Snake that we anticipate will be published in September.” I can’t accept this because this malware, perhaps, the most complex malware ever created, has a well-documented history. There is no reason why BAE should not have allowed the presentation to go on as scheduled, if, for no other reason, than this would have been good PR. Besides, there have already been several reports put out on Snake (aka Uroburos) this year, one of the most comprehensive of which was by BAE itself, no less. What else would be so revolutionary that it could not be delivered at the conference? The presenter, Sergei Shevshenko, has put a lot of work into deciphering this malware from the time that it first appeared. No doubt he could add more technical information about what in the code allowed him to learn more about it and its creators. However, we are left in the dark. All abstracts of the talk were pulled off the Black Hat web site. I, therefore, tried to see if he had lectured anywhere else recently. I found that he had given a presentation in Australia in April but nothing of interest could be found there. That left information published on the Israel Department of Defense website. Unfortunately, when I tried to get to it, the website was down, and had been down for a number of days. Apparently, it was under a DDoS attack by the Anonymous hacking group. I can’t even find a reference to it anymore. Anyway, for all of these reasons, I must speculate based on what is known about Snake. I should add that even those who have reported on Snake, also admit that they, too, have had to speculate on some aspects of its design.

uroboros-300x300

So what do we know about Snake? First of all, it seems to have begun its life back in 2008 as an evil little worm called Agent.btz. This was no ordinary malware. This is the malware that infiltrated the U.S. Defense Department. Called, the “worst breach of U.S. military computers in history”, it took the government 14 months to get rid of it. In the process, one must assume the defense department learned a lot about how this malware was constructed.

Agent.btz went through a number of transformations before it emerged again in 2013 under the names of Uroburos, Turla, and Snake Yet, there are a number of reasons why Uroburos seems to be directly related to Agent.btz. You can read the details about these in the G Data SecurityLabs report. There are also a number of reasons why this malware can be traced to Russia, such as the use of Russian language in parts of the code. G Data also notes that “we believe that, until today, the team behind Uroburos has developed an even more sophisticated framework, which still remains undiscovered.” This is because Uroburos is so good at covering its tracks. It took years to discover the first attack and, if there are more sophisticated versions, they are likely not yet discovered. This may be one reason why BAE may have pulled the presentation. If they knew of a new variant, why give a free pentest to the hackers who could later use it to improve their Snake malware? BAE does not take a particularly strong ethical stance on sharing data with the security community. This is because they have more practical concerns. They have nation state customers, such as the U.S. government, and, as they emphasize on their website, “we understand and support our customers’ national security and other requirements.” It is reasonable that this is their first priority. Therefore, it may be that the U.S. government/ Defense Department does not want this information disseminated simply to protect itself from further attacks. Delaying the presentation would allow these agencies to take any new findings into account and help them in either building a better defense or in finding any variants of the malware that may have worked their ways onto their networks. In such a case, it would be better to keep the malware developers in the dark.

So where does Snake stand among recent information gathering malware?  At one time, Stuxnet was the most sophisticated malware known. Stuxnet is generally considered to be a product of the U.S. and Israeli governments. Then came Flame, which was called by one of its discovers at Budapest University of Technology and Economics “the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.” At first it was believed that Stuxnet and Flame were not related; however, after more in-depth analysis, Kaspersky finally concluded that they were, even though Flame was considered to be 20 times more complex than Stuxnet.  Strangely, Flame bears similarities to Uroburos or Snake, yet, this malware has been linked to Russian hackers. Why should this be so? To help explain this, it might be best to give a timeline of the development of this malware to get a somewhat more simplified look at the complex connections between the associated variants.

 History of Snake’s Development

 2005 – Projected date of Agent.btz development (linked to Russia)

2007 – Red October malware attacks thought to have begun (linked to Russia)

2008 – Agent.btz attacks US Department of Defense

2009, October – Agent.btz finally removed from government computers

2009 – First variant of Stuxnet (Kaspersky)

2010, February – Flame begins operating in the wild (linked to US and Israel)

2010, June – Stuxnet discovered, (linked to US and Israel)

2010, September – US DoD releases information on the 2008 Agent.btz attack

2011- Earliest dated Uroborus/Snake driver

2011 – After 4 years of operating undiscovered, Red October malware identified and said to have copied Agent.btz architecture

2012- Flame discovered, connected to Stuxnet, (development linked to US and Israel)

2013- Uroborus (aka Turla/Snake) discovered (linked to Russia)

2014, August – Epic Turla (Kaspersky)

There are a few things this timeline makes clear. First of all, this malware is really good at hiding itself. It takes years to be discovered. By the time the US DoD announced the 2008 breach in 2010,  you can be quite sure that Agent.btz had been completely analyzed and, most likely, used as a template for Stuxnet. This may seem like a quick turnaround, but, for a Trojan to work well, it has to be deployed quickly and stealthily. I should note that this software has the ability to hide its creation dates so there is some disagreement over this among investigators. However, the main question that come from this timeline is: How can Snake and Flame be related but come from opposite sides of the cyber espionage divide?

The answer lies in the architecture of Agent.btz. Once that was unraveled by US investigators, they were able to use it, and possibly some of its components, to build their own information gathering Trojan. Thus, began two lines of development, one in the US, with the help of Israel, and one in Russia. Both lines fed off of each other as each new variant exposed more complex exploitation techniques which were then modified and deployed as newer variants, and on, and on, and on. Thus, all security companies predict new variants are probably already out there doing their information gathering business until they are discovered. The operating strategy of each new variant is to check a machine before it infects it to see if it has a copy of an earlier variant which it can then modify to accept the new strain. However, until just recently, it was not known how Snake could get into a network in the first place.

Agent.btz, so the story goes, got into the US Department of Defense computers through a USB that someone found in the parking lot. After that, it could spread throughout the network and even to computers not connected to the internet. Earlier this month, Kaspersky reported that they now know how Snake infects a network. The main methods of attack are through zero day exploits, spear phishing, watering hole attacks, and social engineering attacks. Epic Turla, which Kaspersky calls the entire exploit operation, occurs in three stages, each one compromising the system more and more. (The technical details of this exploit can be found here.) As usual, the malware targets government agencies, the military, large research institutions, and embassies. Kaspersky notes that they themselves were recently attacked. It could be that BAE learned of this new variant and planned on giving details of it in September, as promised. Unfortunately for them, Kaspersky may have beaten them to it and, thus, a good PR opportunity was lost. Still, maybe they may know something that others don’t. We’ll just have to wait and see.

Now, one often assumes that government agencies, such as the US Department of Defense, would have the best security possible. In truth, their security is adequate at best. In a recent Forbes article , Marc Tobias criticizes government security measures saying “current technology and practices will not keep criminals out. One expert I met with put it succinctly: ‘our software designs and user interfaces are still at the level of the Model T.’” This may be an exaggeration, but there is a fundamental problem. This is the problem all big enterprises have: their sheer size. The fact that large enterprises have so many subcontractors and associated partners makes them far easier to attack than smaller businesses. Just as Target was attacked through a subcontractor, so, too, could government agencies be targeted. Curently, the government is considering implementing a BYOD policy in some of its agencies. Though this seems like a step forward in modernization, it is also a step into the arms of attackers. It’s a very simple formula: More endpoints = more points to attack. Certain types of attacks, such as spear phishing, social engineering, and watering hole attacks, are particularly effective in compromising endpoints and, thereby, gaining access to a network.

You can be certain that Snake and its newer and improved friends are waiting for any opportunity to strike. In the light of current international developments, this  is a time when all government agencies need to be especially vigilant and security conscious. Every effort must be made to keep vital information secure and the entire enterprise, including subcontractors and partner agencies, must be protected with multiple security layers. This is a time that the government needs to lead in security and not simply follow acceptable trends.  At such a time, it is not enough for the government to meet the highest security standards. It must exceed them.

______________________________________________________

If your enterprise requires the highest levels of security, it may be time for a paradigm shift. InZero Systems offers a hardware separated security architecture for all network devices that even competitors admit is unmatched in the field. If you are worried that your endpoints might be compromised, this architecture is for you. It puts an impenetrable barrier between any compromised user and valuable enterprise data. Contact them at info@workplaytablet.com

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s