Uroburos rootkit, is it part of Russian Cyber weapon programme?

Pierluigi Paganini March 03, 2014

Researchers at German G Data published an interesting analysis for Uroborun rootkit alleged to be a component of Russian cyber weapons programme.

Uroburos is considered an advanced rootkit that is active since as far back as 2011, it is used to infect networks belonging to high-level targets, stealing data after setting up rogue P2P networks, it targets both 32-bit and 64-bit Microsoft Windows systems.

The name Uroburos (or Ouroboros) as usual comes from a string found in the source code of the malware, it references an ancient Egyptian symbol of a serpent eating its own tail.

German security firm G Data has conducted an interesting study on the malware trying to discover its authors, it conclusion is that Uroburos is certainly of Russian origin.

What is Uroburos?

Uroburos is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identify.” reported G Data analysis.

The Uroborus rootkit presents an unusual complexity, it is a modular malicious agent certainly designed in Russia based on the references left by authors in its source code.  

Uroburos 2

The peculiarity of the malware is that it checks for the presence of the USB stick-loving Agent.btz (‘Buckshot Yankee’) on the victims’ computer, a worm that successfully infected US military networks in 2008. If Uroburos finds Agent.btz worm, it does not activate.

“The malicious software, or malware, caught a ride on an everyday thumb drive that allowed it to enter the secret system and begin looking for documents to steal. Then it spread by copying itself onto other thumb drives. Pentagon officials consider the incident, discovered in October 2008, to be the most serious breach of the U.S. military’s classified computer systems.”

“The efforts to neutralize the malware, through an operation code-named Buckshot Yankee, also demonstrated the importance of computer espionage in devising effective responses to cyber­threats.” reported the Washington Post.

According experts at G Data Uroburos is considerable a framework resulted from Intelligence activity, for sure it has requested a huge investment and it is likely that malware developers involved in the project are still working on it.

“By commanding one infected machine that has Internet connection, the malware is able to infect further machines within the network, even the ones without Internet connection. It can spy on each and every infected machine and manages to send the exfiltrated information back to the attackers, by relaying this exfiltrated data through infected machines to one machine with Internet connection.”

The Uroburos rootkit was designed to infect networks of huge organizations even if they have air gapped sub-networks.

Compare the Uroburos to Stuxnet it excessive in my opinion, anyway, it represents an important example of the effort spent by a government and according experts it is part of Russian government cyber-weapons programme.  

we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ.” reported G Data. 

At the time I was writing, it is unknown how Uroburos infiltrates targeted networks, most conceivable infection vectors are spear phishing, drive-by-infections, USB sticks, or social engineering attacks.

I suggest the reading of the detailed analysis issued by G-Data.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  cyber weapons, Urobutos)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment