Uroburos - highly complex spyware with Russian roots
G Data discovers suspected secret service software
Security experts at G Data have discovered and analysed highly sophisticated and complex spyware. This is designed to steal highly sensitive secret information from high potential networks such as national institutions, intelligence services or large corporations. The rootkit, called Uroburos, works autonomously and spreads in the infected networks on its own. Even computers that are not directly connected to the Internet are attacked by this malware. G Data believes that building such software requires substantial investments in personnel and infrastructure. The design and high level of complexity of the malware therefore give rise to the assumption that it originated from a secret service. Based on technical details such as file names, encryption and software behaviour, it is suspected that Uroburos could come from the same source that also launched a cyber attack on the USA in 2008. On that occasion malware called "Agent.BTZ" was used. The German IT security provider estimates that this spyware has remained undetected for at least three years. More information are available in the G Data SecurityBlog - http://blog.gdatasoftware.com/blog.html.
What is Uroburos?
Uroburos is a rootkit that consists of two files - a driver and an encrypted virtual file system. Attackers can use this malware to take control of the infected PC, execute any program code on the computer and cover up their actions on the system. Uroburos is also capable of stealing data and recording network data traffic. The modular structure enables attackers to enhance the malware with additional functions.
Due to this flexibility and modularity, G Data considers this rootkit to be very advanced and dangerous.
Technical complexity points to origin in the secret service
The complexity and design of Uroburos attest to the malware being very complex and costly to develop. G Data believes that highly trained developers must have been involved. The German IT security provider therefore assumes that cyber criminals were not involved in the development, and think that a secret service is behind Uroburos. The experts also think that the programmers are likely to have developed an even more advanced rootkit that has not been discovered yet.
Uroburos is designed to work in large networks belonging to companies, public authorities, organisations and research institutions: the malware spreads autonomously and works in "peer-to-peer" mode, where the infected computers in a closed network communicate directly with each other. The attackers only need a single computer with Internet access. The pattern shows that the attackers have taken into account the fact that networks often include PCs that are not connected to the Internet as well. The infected computers spy on documents and other data and transfer these to the PC with the Internet connection, from which all the data that has been collected is transferred to the attacker. Uroburos supports both 32 and 64 bit Microsoft Windows systems.
Link to Russian attack on USA suspected
Based on the technical details, file names, encryption and behaviour of the malware, G Data experts see a connection between Uroburos and a cyber attack that was carried out on the US in 2008 - the same attackers are presumed to be behind those attacks and the rootkit that has just been discovered. On that occasion, malware called "Agent.BTZ" was used. Uroburos checks infected systems to see whether the malware is already installed, in which case the rootkit does not become active. G Data also found indications that the developers of both malware programs speak Russian.
The analysis shows that the attackers are not targeting ordinary Internet users. The operational effort is only justified for worthwhile targets, i.e. large corporations, public institutions, secret services, organisations and similar targets.
Probably undetected for more than three years
The Uroburos rootkit is the most advanced piece of malware that the security experts at G Data have ever analysed in this environment. The oldest driver that was found in the analysis was compiled in 2011. This indicates that the campaign has been undetected since then.
The infection vector remains unclear
So far, it has not been possible to determine how Uroburos initially infiltrates a high profile network. The attacks can happen in a number of ways, e.g. spear phishing, drive-by infections or social engineering attacks.
What does the name mean?
G Data has called the malware "Uroburos" after a corresponding name used in the source code, which is based on an ancient Greek symbol of a serpent or dragon eating its own tail.