FBI Disables Russian Malware

Reuters is reporting that the FBI “had identified and disabled malware wielded by Russia’s FSB security service against an undisclosed number of American computers, a move they hoped would deal a death blow to one of Russia’s leading cyber spying programs.”

The headline says that the FBI “sabotaged” the malware, which seems to be wrong.

Presumably we will learn more soon.

EDITED TO ADD: New York Times story.

EDITED TO ADD: Maybe “sabotaged” is the right word. The FBI hacked the malware so that it disabled itself.

Despite the bravado of its developers, Snake is among the most sophisticated pieces of malware ever found, the FBI said. The modular design, custom encryption layers, and high-caliber quality of the code base have made it hard if not impossible for antivirus software to detect. As FBI agents continued to monitor Snake, however, they slowly uncovered some surprising weaknesses. For one, there was a critical cryptographic key with a prime length of just 128 bits, making it vulnerable to factoring attacks that expose the secret key. This weak key was used in Diffie-Hellman key exchanges that allowed each infected machine to have a unique key when communicating with another machine.

Posted on May 10, 2023 at 11:25 AM10 Comments


Michael Richardson May 10, 2023 2:00 PM

Maybe “sabotaged”, means that they found the magic DNS record that shouldn’t exist, and they created it.
Like that other time the UK researcher did that.

vas pup May 10, 2023 5:32 PM

EU lawmakers urge bloc-wide curbs on use of Israeli Pegasus spyware

“EU lawmakers on Monday voted to press member states and the European Commission to strictly regulate government use of spyware after scandals involving the Pegasus software, an Israeli-made tool.

A special committee in the European Parliament looking into the issue overwhelmingly adopted the recommendations, and called for those who had used Pegasus to spy on the smartphones of politicians and journalists to be held accountable.

Pegasus, which can be surreptitiously installed in a target’s smartphone, is able to read messages, geolocate and secretly turn on the device’s camera and microphone. NSO
markets the technology as a tool to target criminals but many cases have been discovered worldwide of governments using it against dissidents, journalists and political opponents.

Among the report’s recommendations were that the use of Pegasus and similar spyware be effectively halted, and that a European tech lab be created to help citizens targeted by such software.”

Clive Robinson May 10, 2023 8:10 PM

@ ALL,

Re : Painting a target on your back.

I mentioned a few days back that using certain software was painting a target on your back because it gave a recognisable signiture. Also that the network it created could be “mapped” because of it.

My statment was met with disbelief and comments that were in effect the FBI were not sufficiently sophisticated…

Yet here we are and the ARS Technica article has,

““Turla’s unique implementation of HTTP operates as a kind of signature, with the 8-byte metadata component of the Snake-HTTP packet incrementing in a predictable fashion,” FBI Special Agent Taylor Forry wrote in an affidavit “

It was this signiture that made the APT malware stand out from other traffic, and thus be recognised because it “painted a target on the back” of every machine that sent out such traffic.

So “The malware network got mapped”…

Perhaps some people should be less skeptical and maybe be a little more thoughtful if not touching a little on the soft paranoia that field craft is supposed to teach you before the opposition “disrupt your functioning in a terminating way”.

After all it’s not the first time this sort of thing has happened. As China and Iran demonstrated to the CIA not that long ago…

Winter May 11, 2023 12:07 AM


It was this signiture that made the APT malware stand out from other traffic, and thus be recognised because it “painted a target on the back” of every machine that sent out such traffic.

Browser fingerprinting works for malware too? How convenient.

So, if you could make malware, or a browser, that gave every malware infection or browser the exact same fingerprint, you could not identify the malware creators or browser users anymore? Hiding in the herd, so to speak. If everybody has a target painted on their back, you still do not know who to shoot at.

Then, if you could get enough users to share the same fingerprint, you were, so to say, anonymous as an individual and no one could pin the malware infection or browsing history you anymore.

You think someone created such malware or browsers?

ResearcherZero May 11, 2023 2:25 AM

Snake had problems with the implementation of encryption. A feature in many of RIS communications over the decades.

Peter May 11, 2023 2:41 AM

I look forward to the US extraditing these Russian criminals to face justice for hacking Russian government systems /s re: Denis Kulkov

ResearcherZero May 11, 2023 3:10 AM

“Vostok, I am Sneg 02. On the highway we have to turn left, f***,” one of the soldiers says in Russian using code names meaning “East” and “Snow 02.”

The ERA system is highly risky because it tries to combine non-encrypted and encrypted communications and requires a control center (probably in Moscow) to handle all ERA traffic.

(May 12 2022)

A heatmap of phones connected to the Russian mobile network in Ukraine shows approximate Russian troop concentrations in the country.


“You have to be a sophisticated news consumer in order to find credible information,” said Alexander Gabuev, a senior fellow at the Carnegie Moscow Center, a think tank. “Accessing different from the Kremlin’s point of view takes extra effort.”

Cogent is one of the biggest internet backbone carriers in the world.

“piggy in the middle”


Clive Robinson May 11, 2023 6:52 AM

@ ResearcherZero, ALL,

Re : Russian Comms fail because they are centrists.

It should be known by now that “The Russian System” of almost everything is,

1, Highly hierarchical.
2, Where you rise by being selected.
3, You have to pay upwards.
4, You can not survive on what you are alowed.

It does not take a PhD in psychology to work out what is going to happen.

One side effect is “dead mens shoes” gives rise to nearly assured promotion in the hierarch. That is if you first kill your competitors, then kill the boss, you are the only candidate to replace him (it’s almost always a him in such hierarchies).

Thus the further up in the hierarchy you are the more suspicious and less trusting you have to become thus the more you want everything to go through you so you can see threats arising.

Back in the days of the start of Project VENONA the Russian communications were via One Time Pad that had to “go through the center”. Those out in the field were kept issolated they could not speak to each other, they did not know of each other and thus could not betray or plot their way up.

When you are dealing with only a few lines of communications the resulting “Star Network” model is managable, but quickly starts to show strain and fail at the center.

The obvious problems with a centrist communications system ,

1, Overload at the center.
2, Slow to react to input
3, Fails badly to any network disruption.

As was once pointed out to me,

“We all know what happens when you chop the head off of a chicken.”

Worse such hierarchies can only survive if there is significant corruption, to pay-up the chain as dues. Where to get the monies. Well only some types of Guard Labour can easily extort money from outside the organisation. It’s those that have significant contact outside the organisation such as “Law Enforcment”. The military when not in action has to feed upon it’s self by stealing from the organisation.

As I’ve mentioned before, a secure military radio is over one hundred to two hundred times the price of a cheap Chinese hand held like one of the many UV-5 etc that cover around 40Mhz of VHF and 80MHz of UHF spectrum.

So 100 UV-5’s at ~25USD is pocket change at ~2500USD compared to 100 Mil Spec Secure radios covering greater than 450Mhz of spectrum securely at ~5000USD each… So freeing up a half million dollars for bribes and a more comfortable life.

Mostly as long as you are not fighting a real enemy you don’t need “Secure Communications” and you can change the mock-battal excercises so SigInt is not in the parameters of engagement…

But come a real battle against an even hurriedly prepared SigInt opponent then you will head into a world of hurt at the “grunt level”. Further having troops poorly trained by “rule of thug” controled from a distant center means any communications disruption and the ground troops are “out of control” and thus not of any use let alone effective… Plus they might behave as “Law Enforcment” do and extort bribes etc from the covilian population rather than fight.

As I’ve mentioned before small drones lifting “Software Defined Radio” dongles on “gum-stick” style microcontrollers networked to high end software on laptops out of harms way bellow, can from 50-60kM away from the fighting gives a very great deal of “SigInt” when faced by those using ineffective and insecure cheap Chinese two way radios.

As I’ve also been saying these “Large Language Model”(LLM) and similar AI, are not inteligent, but they are very good at surveillance which is why Alphabet-Google, Meta-Facebook, Microsoft and others are throwing millions of USD in LLMs and similar…

The thing is with the escape of Meta-Facebooks model, a lot of people have used it to make small LLMs on high end laptops, that are nearly as effective and in some ways a lot better than the multiple million dollar server farm based LLMs the Silicon Valley Corp’s have (see my analogy of tectonic-uplift v weathering the other day, which someone else compard to snowflakes and ice).

Thus the Russian centerist behaviours have been seen to fail and fail badly…

Thus the question of if the Silicon Valley Corps realise a similar fate awaits them…

Hellon Rusk got badly upset about a youngster who used to tweet the location of his private jet in near real time[1], so killed his Twitter account when he had the opportunity.

The thing is with the escape of Meta’s AI Model and people putting it on “lap tops” virtually over night for just a hundred bucks of cost… How long before the Open Source Intel brigade will turn them into “hunt the celeb” or whatever looking for and finding the tiny signalls thought to be hidden in millions of tons of grass. Forget finding needles in haystacks, it will be finding iron-filings in vast prairies of straw bales. Or perhaps more apt with the likely outcome of the Piers Morgen replacments,

“Find a teardrop in an ocean, where ever it flows.”

These LLM’s will in the shortness of time become the biggest threat so far seen to privacy and all that follows from it such as personal safety, freedom of association and even thought.

[1] Aircraft like ships are required “for safety of navigation” to have ADS-B / AIS transponders reporting their identification and location continuously. In the case of ADS-B there are many amatures receiving and decoding these signals and sending them to online databases and realtime tracks on maps. The FBI, CIA and other “agencies” have got upset that this information has uncovered many of their probably unlawful activities. Perhaps less well known is that mobile phones automatically talking to cell towers give away unencrypted meta-data that can also be received passively. So it’s not just the Gov Agencies having unlawful tactics available… A whole bunch of amateurs could with a little thought and work do the same, only on an industrial basis, alowing all sorts of people to have their movments thus activities tracked and put up as Open Source Intel…

ResearcherZero May 12, 2023 10:16 AM

Uroburos Recap

“Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. Notable hints include the usage of the exact same encryption key then (2008) and now, as well as the presence of Russian language in both cases.”

The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identify.

“We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered. The oldest driver we identified was compiled in 2011, which means that the campaign remained undiscovered for at least three years.”

By commanding one infected machine that has Internet connection, the malware is able to infect further machines within the network, even the ones without Internet connection.

It can spy on each and every infected machine and manages to send the exfiltrated information back to the attackers, by relaying this exfiltrated data through infected machines to one machine with Internet connection.

This malware behavior is typical for propagation in networks of huge companies or public authorities. The attackers expect that their target does have computers cut off from the Internet and uses this technique as a kind of workaround to achieve their goal.

The rootkit uses two virtual file systems. One is persistent over reboot and NTFS formatted. The other one volatile and FAT formated; its content is never flushed to a real file system, as a result its content is only accessible on a live infected machine. Both are encrypted with a CAST like algorithm. The filesystem clusters are decrypted on access via cache management. As a result the file systems do no appear in clear text even in the physical memory.

Two file systems are setup, the first one is persistent over reboot and backed by a file on the filesystem. The second one is volatile and only resides in memory, it is lost on rootkit restart or reboot. The persistent file system is setup in two steps: (i) setup a memory section backed by a file, (ii) provide access to the section via a device hooked with encryption/decryption primitive on access, (iii) mount the device as an NTFS filesystem.

After the initialization the rootkit opens and reads its configuration resources.

“obvious links can be found between Agent.BTZ and the much newer Snake rootkit – like a common XOR key used in both of them”



During this 2008 campaign, a USB stick was deliberately “lost” in the parking lot of the United States Department of Defense. This USB stick contained malicious code and infected the military’s network.

Another infection vector: when a clean computer attempts to map a drive letter to a shared network resource that has Agent.atz on it and the corresponding autorun.inf file, it will (by default) open autorun.inf file and follow its instruction to load the malware. Once infected, it will do the same with other removable drives connected to it or other computers in the network that attempt to map a drive letter to its shared drive infected with Agent.atz – hence, the replication.

Agent.BTZ must be considered as a vague origin of the whole family. It is not really known how old Agent.BTZ is, but we assume it’s actually older than 2007.

The Pentagon spent nearly 14 months cleaning the worm, named Agent.btz, from military networks. Agent.btz, a variant of the SillyFDC worm, has the ability ‘to scan computers for data, open backdoors, and send through those backdoors to a remote command and control server’

The techniques used demonstrate excellent knowledge of Windows kernel internals.



Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.