Security researchers have discovered a complex and sophisticated piece of data-stealing malware they suggest may well be the work of state-sponsored hackers in Russia.
The Uroburos rootkit, named after a mythical serpent or dragon that ate its own tail – and a sequence of characters concealed deep within the malware’s code (Ur0bUr()sGotyOu#) – may have been active for at least three years prior to its detection by security researchers at German antivirus firm g.
Uroburos is designed to capture network traffic and steal files. It's a rootkit made up of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities, say the researchers.
The malware communicates over a peer-to-peer network. Providing it can find one computer with internet access within a compromised network, it's capable of stealing data from other infected computers on the same network – even if they don't have access to the interwebs. G Data says Uroburos uses two virtual file systems (one based on an NTFS file system and the other a FAT file system) to disguise its malign activities and to try to avoid detection.
These virtual file systems are used as a "workspace" by the attackers, providing a storage space for third-party tools, post-exploitation tools, temporary files and binary output.
G Data researchers reckon the complexity of the malware marks it out as much more likely to be the work of intelligence agencies than made by common or garden cybercrooks.
The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered.
Similarities in techniques and technology point to links between Uroburos and a malware-based attack against the US around six years ago.
Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ.
Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ.
The spread of the Agent-BTZ worm back in 2008 resulted in a US Army ban against the use of USB and removable media devices, the main vector of the infection.
Uroburos is targeting high-profile enterprises, nation states, intelligence agencies and similar targets, G Data's security researchers conclude. One of the drivers identified in the Uroburos rootkit was compiled in 2011, evidence that the malware was created around three years ago. It's reasonable to assume it was released soon after it was created, implying the sophisticated malware has stayed under the radar of security firms for around three years. More details of the results of G Data's analysis thus far can be found in white paper here (PDF).
Analysis of the malicious code is at an early stage, so key pieces are missing from the jigsaw, not least how Uroburos manages to spread.
"No light has been shined on how Uroburos might infect victim computers (although USB infection and targeted email attacks seem plausible), or who the victims might have been, or what data might have been stolen," writes independent security expert Graham Cluley in a blog post on the threat. ®