Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43453
  • Total Topics: 16545
  • Online today: 2994
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 2
Guests: 2781
Total: 2783









Author Topic: The Uroburos rootkit - Russian work ?!  (Read 2630 times)

0 Members and 3 Guests are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
The Uroburos rootkit - Russian work ?!
« on: 06. March 2014., 17:25:04 »


Security researchers have discovered a complex and sophisticated piece of data-stealing malware they suggest may well be the work of state-sponsored hackers in Russia.

The Uroburos rootkit, named after a mythical serpent or dragon that ate its own tail – and a sequence of characters concealed deep within the malware’s code (Ur0bUr()sGotyOu#) – may have been active for at least three years prior to its detection by security researchers at German antivirus firm G Data.

Uroburos is designed to capture network traffic and steal files. It's a rootkit made up of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities, say the researchers.

The malware communicates over a peer-to-peer network. Providing it can find one computer with internet access within a compromised network, it's capable of stealing data from other infected computers on the same network – even if they don't have access to the interwebs. G Data says Uroburos uses two virtual file systems (one based on an NTFS file system and the other a FAT file system) to disguise its malign activities and to try to avoid detection.

These virtual file systems are used as a "workspace" by the attackers, providing a storage space for third-party tools, post-exploitation tools, temporary files and binary output.

G Data researchers reckon the complexity of the malware marks it out as much more likely to be the work of intelligence agencies than made by common or garden cybercrooks: http://blog.gdatasoftware.com/blog/article/uroburos-highly-complex-espionage-software-with-russian-roots.html

"The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered."

Similarities in techniques and technology point to links between Uroburos and a malware-based attack against the US around six years ago.

"Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ.
Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ."


The spread of the Agent-BTZ worm back in 2008 resulted in a US Army ban against the use of USB and removable media devices, the main vector of the infection: http://scforum.info/index.php/topic,2051.0.html

Uroburos is targeting high-profile enterprises, nation states, intelligence agencies and similar targets, G Data's security researchers conclude. One of the drivers identified in the Uroburos rootkit was compiled in 2011, evidence that the malware was created around three years ago. It's reasonable to assume it was released soon after it was created, implying the sophisticated malware has stayed under the radar of security firms for around three years. More details of the results of G Data's analysis thus far can be found in white paper here (PDF): https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf

Analysis of the malicious code is at an early stage, so key pieces are missing from the jigsaw, not least how Uroburos manages to spread.

"No light has been shined on how Uroburos might infect victim computers (although USB infection and targeted email attacks seem plausible), or who the victims might have been, or what data might have been stolen," writes independent security expert Graham Cluley in a blog post on the threat: http://grahamcluley.com/2014/03/russian-spyware

(ElReg)

Samker's Computer Forum - SCforum.info

The Uroburos rootkit - Russian work ?!
« on: 06. March 2014., 17:25:04 »

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Re: The Uroburos rootkit - Russian work ?!
« Reply #1 on: 06. March 2014., 19:43:03 »
 :down: Russia. America. China. Who's next :(

(impressive though, staying undetected for 3 years... An eternity!)
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker's Computer Forum - SCforum.info

Re: The Uroburos rootkit - Russian work ?!
« Reply #1 on: 06. March 2014., 19:43:03 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023