Russian government hackers have been suspected of establishing a highly sophisticated piece of malware that is designed to obtain files from digital infrastructure.  The Uroburos malware is named after an ancient symbol, which depicts a dragon eating its own tail.

G-Data said of the Uroburos malware that it was “one of the most advanced rootkits we have ever analysed in this environment”.  The malware is able to work on both 32-bit and 64-bit Microsoft Windows operating systems.  This gives rise to the theory that it is a well-funded effort on behalf of the criminals involved. It is estimated that Uroburos went undetected for at approximately three years.

New Banking malware i2Ninja being sold via underground Russian Cybercrime Market


G-Data said, “The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit…The design is highly professional; the fact the attackers use a driver and a virtual file system in two separate files which can only work in combination, makes the analysis really complicated. One needs to have the two components to correctly analyze the framework. The driver contains all of the necessary functionality and the file system alone simply cannot be decrypted…The network design is extraordinarily efficient, too; for an incident response team, it is always complicated to deal with peer-to-peer infrastructure. It is also hard to handle passive nodes, because one cannot quickly identify the link between the different infected machines.”

The connection to Russia was established after researchers from G-Data had discovered stacks of Russian-language strings in the code. Also, they found the malware whilst searching for the presence of Agent.BTZ. A piece of malware used in attacks on the United States back in 2008, which were alleged to have been orchestrated by Russian spies.

“We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered…We are sure of the fact that attacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence agencies and similar targets.” G-Data added.

Do you think that this originated with Government agents? If you have any sensible comments regarding this story, please leave your comments in the section below.

[Image via thehackernews]