A host of better-known security vendors have confirmed that a bit of malware named Uroburos by obscure German anti-virus company G Data Software AG is a sophisticated, dangerous and widespread tool likely written and controlled by a national intelligence agency.
Most also confirmed that the modular, highly adaptable document-stealing toolkit has been attacking government and military sites since 2005, but guessed it had been in continuous development since before that point. G Data suggested Uroburos was an aging, possibly obsolete version of the toolkit, and that an even more sophisticated edition might be at work already without having been detected.
Security companies have been aware of the rootkit G Data called Uroburos, but either didn’t realize the extent of its abilities or didn’t talk about it as a separate entity rather than as the evolved version of a notorious piece of spyware called Agent.BTZ, which was used to attack a number of U.S. and NATO military facilities in 2008, according to a March 7 story in Reuters.
They’ve also been calling it by different names. Symantec and F-Secure refer to the evolved version of Agent.BTZ as “Turla.”
Britain’s BAE Systems Applied Intelligence calls it “Snake,” and described it in a report published March 7 as “one of the most sophisticated and persistent threats we track.”
Turla is a framework of interrelated tools created by a “super active development group” that is quick to create new tools or exploits to counter new barriers and to move, protect or hide the command-and-control (CnC) servers they use to control Turla-infected machines in the field, according to Symantec Security Response technical director Eric Chien, who was quoted in the Reuters story. The toolkit contains more than 100 files or modules that give it a range of ways to bypass network- or PC-based security, search for and capture sensitive data both on hard drives and passing along the network, and communicate with its controllers all with remarkable stealth, according to the BAE report. (A PDF of the full report is available here.)
“The resilience of the Snake malware in the face of cyber security counter measures is in part a result of its kernel centric architecture, which is extraordinary in its complexity. Its design suggests that attackers possess an arsenal of infiltration tools and bears all the hallmarks of a highly sophisticated cyber operation,” according to the BAE report.
Researchers on the forums at exploit-analysis site KernelMode.info called the toolkit Turla Sengoku – after text in the driver decrypted by one forum moderator –and posted source code for the driver. Forum members also found that Turla/Snake/Uroburos bypassed PatchGuard using a kernel-mode splicing technique that has been public knowledge since 2008. Once it has loaded its kernel into Windows, Snake inserts hooks that allow it to infect any newly launched processes and stays dormant except to monitor userland processes until one communicates with a web server, according to the BAE report.
When a user goes online, the driver intercepts the process, injects a malicious DLL into it and uses that hijacked process to connect to make its own DNS and HTTP requests to make a connection with hard-coded command-and-control servers. The toolkit stays covert by hiding the traffic of its own communication within the user’s own request to avoid barriers in the firewall or intrusion-detection monitors. “Even a technically savvy user will find it challenging to detect Snake traffic among legitimate traffic,” the BAE analysis concluded.
It also inserts hooks into existing network driver interface specification (NDIS) processes and registers a miniport virtual NIC function of its own as an NDIS protocol driver that allows it to use a private TCP/IP stack, “bypassing all firewall hooks, and making its open ports invisible to scanners,” according to BAE. Snake hides most of its logs and data dumps in hidden virtual volumes, making even its detritus difficult to detect. The best way to identify is is by searching logs for connections to the CnC servers hard-coded in the Snake code, search MD5 hashes for matches with samples published by BAE and other security companies, and build SNORT rules and Indicators of Compromise on host-based scanners to identify the burst of malicious traffic from Snake when a user goes online,
Sweden’s National Defense Radio Establishment – its version of the U.S. National Security Agency signals-intelligence agency – told Reuters it had detected a number of attacks by Turla/Snake/Uroburos; officials in Finland also acknowledged having been attacked, but didn’t confirm whether the culprit was related to Turla or Agent.BTZ. None of the investigations have turned up proof the malware is Russian, or that it is connected to official Russian intelligence services.
However, “It is sophisticated malware that’s linked to other Russian exploits, uses encryption and targets western governments,” according to a separate Reuters story that quoted Jim Lewis, a former U.S. foreign service officer who now works as an analyst at the Center for Strategic and International Studies in Washington. “It has Russian paw prints all over it.”
Image: BAE Systems Applied Intelligence