“Complex” Uroburos Malware In Connection With Russian Intelligence?!
A new PDF report by the security firm “G Data” has uncovered a sophisticated piece of Malware designed to steal confidential data from an infected users computer. G Data have dubbed the program as “Uroburos”; G Data believes that the malicious campaign behind the program may have begun at least three years ago.
If true, then Uroburos may have gone completely undetected by Antivirus vendors since 2011!
G Data have identified Uroburos as an advanced Rootkit. The program is made up of two files, a driver, and an encrypted virtual file system. The Rootkit has several payloads:
- It can take control of the infected computer system
- It can execute arbitrary commands
- It hides system activities
- It can steal user information (Most notably files)
- It can also monitor and capture network traffic
The Rootkit has been dubbed Uroburos due to strings found in the coding of the program. One of the strings found was “Ur0bUr()sGotyOu#” – Uroburos is a reference to the Greek word “Ouroboros”, which is an ancient symbol of a serpent/dragon eating its own tail. Other strings hinted to the direct reference; the word “snake” is used several times in the coding.
Credit: G Data
“Its (Uroburos’) modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identify.”
G Data believe that there may be a link between Uroburos and a cyber attack against the U.S. conducted back in 2008: the Rootkit uses many technical names (file names, encryption keys, behavior and more details mentioned in the report) that imply involvement from the same group behind the attacks.
“Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. ” - G Data’s Blog report.
The reasoning behind G Data’s stab at Russian involvement is that the investment needed to develop framework of Uroburos’ quality is extremely high! It is highly unlikely that typical malware writers would have/be able to afford the resources needed to create such a program.
In addition to this, the team behind the development and the design of Uroburos must be an extremely skilled group of writers and computer experts.
Unfortunately, it is of G Data’s belief that the team behind Uroburos has worked on other, more advanced variants that are still to be discovered!
“This kind of data stealing software is too expensive to be used as common spyware. We assume that the attackers reserve the Uroburos framework for dedicated and critical targets. This is the main reason why the rootkit was only detected many years after the suspected first infection.
Furthermore, we assume that the framework is designed to perform cyber espionage within governments and high profile enterprises but, due to its modularity, it can be easily extended to gain new features and perform further attacks as long as it remains undetected within its target.”
Users should note that any involvement with Russian intelligence is an assumption at this stage. G Data’s findings do benefit the possibility, however, nothing is written in concrete…
Despite the complexity and sophistication of Uroburos, regular users shouldn’t have too much to worry about. The research shows that the Rootkit was most likely designed to target government and research institutions, companies dealing with private/sensitive information and other high-profile targets.