Feeds

Security researchers uncover three-year-old 'RUSSIAN SPYware'

Claim Agent.BTZ-alike Uroburos could be state-backed

Using blade systems to cut costs and sharpen efficiencies

Security researchers have discovered a complex and sophisticated piece of data-stealing malware they suggest may well be the work of state-sponsored hackers in Russia.

The Uroburos rootkit, named after a mythical serpent or dragon that ate its own tail – and a sequence of characters concealed deep within the malware’s code (Ur0bUr()sGotyOu#) – may have been active for at least three years prior to its detection by security researchers at German antivirus firm g.

Uroburos is designed to capture network traffic and steal files. It's a rootkit made up of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities, say the researchers.

The malware communicates over a peer-to-peer network. Providing it can find one computer with internet access within a compromised network, it's capable of stealing data from other infected computers on the same network – even if they don't have access to the interwebs. G Data says Uroburos uses two virtual file systems (one based on an NTFS file system and the other a FAT file system) to disguise its malign activities and to try to avoid detection.

These virtual file systems are used as a "workspace" by the attackers, providing a storage space for third-party tools, post-exploitation tools, temporary files and binary output.

G Data researchers reckon the complexity of the malware marks it out as much more likely to be the work of intelligence agencies than made by common or garden cybercrooks.

The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered.

Similarities in techniques and technology point to links between Uroburos and a malware-based attack against the US around six years ago.

Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ.

Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ.

The spread of the Agent-BTZ worm back in 2008 resulted in a US Army ban against the use of USB and removable media devices, the main vector of the infection.

Uroburos is targeting high-profile enterprises, nation states, intelligence agencies and similar targets, G Data's security researchers conclude. One of the drivers identified in the Uroburos rootkit was compiled in 2011, evidence that the malware was created around three years ago. It's reasonable to assume it was released soon after it was created, implying the sophisticated malware has stayed under the radar of security firms for around three years. More details of the results of G Data's analysis thus far can be found in white paper here (PDF).

Analysis of the malicious code is at an early stage, so key pieces are missing from the jigsaw, not least how Uroburos manages to spread.

"No light has been shined on how Uroburos might infect victim computers (although USB infection and targeted email attacks seem plausible), or who the victims might have been, or what data might have been stolen," writes independent security expert Graham Cluley in a blog post on the threat. ®

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.