Feeds

Security researchers uncover three-year-old 'RUSSIAN SPYware'

Claim Agent.BTZ-alike Uroburos could be state-backed

Securing Web Applications Made Simple and Scalable

Security researchers have discovered a complex and sophisticated piece of data-stealing malware they suggest may well be the work of state-sponsored hackers in Russia.

The Uroburos rootkit, named after a mythical serpent or dragon that ate its own tail – and a sequence of characters concealed deep within the malware’s code (Ur0bUr()sGotyOu#) – may have been active for at least three years prior to its detection by security researchers at German antivirus firm g.

Uroburos is designed to capture network traffic and steal files. It's a rootkit made up of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities, say the researchers.

The malware communicates over a peer-to-peer network. Providing it can find one computer with internet access within a compromised network, it's capable of stealing data from other infected computers on the same network – even if they don't have access to the interwebs. G Data says Uroburos uses two virtual file systems (one based on an NTFS file system and the other a FAT file system) to disguise its malign activities and to try to avoid detection.

These virtual file systems are used as a "workspace" by the attackers, providing a storage space for third-party tools, post-exploitation tools, temporary files and binary output.

G Data researchers reckon the complexity of the malware marks it out as much more likely to be the work of intelligence agencies than made by common or garden cybercrooks.

The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered.

Similarities in techniques and technology point to links between Uroburos and a malware-based attack against the US around six years ago.

Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ.

Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ.

The spread of the Agent-BTZ worm back in 2008 resulted in a US Army ban against the use of USB and removable media devices, the main vector of the infection.

Uroburos is targeting high-profile enterprises, nation states, intelligence agencies and similar targets, G Data's security researchers conclude. One of the drivers identified in the Uroburos rootkit was compiled in 2011, evidence that the malware was created around three years ago. It's reasonable to assume it was released soon after it was created, implying the sophisticated malware has stayed under the radar of security firms for around three years. More details of the results of G Data's analysis thus far can be found in white paper here (PDF).

Analysis of the malicious code is at an early stage, so key pieces are missing from the jigsaw, not least how Uroburos manages to spread.

"No light has been shined on how Uroburos might infect victim computers (although USB infection and targeted email attacks seem plausible), or who the victims might have been, or what data might have been stolen," writes independent security expert Graham Cluley in a blog post on the threat. ®

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.