Spy Virus Uroburos May Be Russian Attack on U.S.

Moscow HQ of the Russian FSB secret police
Moscow HQ of the Russian FSB secret police.

Security researchers have discovered what could be the Russian answer to the Stuxnet and “Red October” viruses: a sophisticated data stealer that may have been active for as long as three years before being discovered.

Researchers at German security company G Data Software AG posted an alert Feb. 28 about a rootkit they dubbed Uroburos, which they described as a complex, sophisticated piece of malware designed to steal data from secure facilities, which appears to have been created by Russian developers.

Like Stuxnet and its follow-ons Duqu and Flame, Uroburos is a modular framework to which attackers can add or subtract specific features to adapt to specific targets.

It is designed to designate one infected machine as the communications node to command-and-control servers, communicating primarily using peer-to-peer connections inside a network it has penetrated to infect new machines and to pass along orders from its controllers, or pass back files stolen from infected machines and network data.

Its two main components are a driver and an encrypted virtual file system designed to conceal its activities and stolen data.

The split between driver files and the virtual file system make analyzing the attack more difficult because neither alone contains enough information to indicate what the malware is doing: without the driver it is impossible to identify the malware’s functions or intention; without the file system it’s impossible to know what it has done or taken. The file system can’t be decrypted without the driver present, according to G Data’s technical analysis (the text of which is available as a PDF here).

The name Uroburos – from the Greek myth of a dragon eating its own tail that is often used as a metaphor for the infinite circle of time, the universe or the whack-a-mole competition between malware writers and security people who try to stop them – was found in plain text within several of the driver files.

The upper- and lower-case spelling in the code – Ur0bUr()sGotyOu# – is identitical to spelling in a webcomic called Homestuck, though researchers at G Data didn’t suggest there was any closer connection between the two.

Similarities in file names, encryption keys and scraps of Russian in the code hint at a Russian origin, as does the presence of a function that checks for the presence of the virus Agent.BTZ, which was used as part of a large-scale attack against U.S. military facilities in 2008, according to G Data’s analysis.

Uroburos remains inactive if Agent.BTZ is present.

The Agent.BTZ attack resulted in USB and removable storage drives being banned in U.S. Army facilities, according to a March 3 story on Uroburos in The Register.

Portions of the code are dated as early as 2011, meaning the rootkit has been circulating for at least three years. The function telling it to remain inactive in the presence of Agent.BTZ and increasing sophistication of the other functions indicate Uroburos may already have been superseded by a more sophisticated replacement that has not yet been discovered, G Data researchers theorized.

That pattern adds backing to the theory of a Russian origin, but also indicates “that attacks carried out with Uroburos are not targeting John Dow, but high-profile enterprises, nation states, intelligence agencies and similar targets,” the analysis warned.

There is no indication of how Uroburos is injected into victim networks, but it buries itself deeply into the operating system of infected machines and extrudes functional hooks, external libraries and other functions to get its work done.

The driver and file-system install as .sys and .dat files, and create a service identified in the registry of both 32- and 64-bit Windows systems as “HKLMSystemCurrentControlSetServicesUltra3.” Uroburos uses two encrypted file systems – one NTFS and the other FAT, hiding one inside the other, which are used to store additional penetration and exploitation tools as well as stolen files and dnetwork data.

They can be accessed through the devices DeviceRawDisk1 and DeviceRawDisk2 and the volume.Hd1 and .Hd2, according to G Data’s analysis.

A queue file that “is the most interesting and complex part of the virtual file system” gives each message a unique ID, timestamp and encrypted content that can contain keys to decrypt other messages, configuration files, or function libraries to be used to infect other machines or crack files to which it had not yet gotten access.

The package also contains a number of third-party tools, including one responsible for a “pass the hash” attack in which it captures hashed versions of user passwords and re-uses them to authenticate itself without having to decrypt them first. It uses HTTP, GET and POST requests, ICMP and creates a “proxy” function between the operating-system kernel and applications that helps conceal its activities.

“The Uroburos rootkit is one of the most advanced rootkits we have ever analyzed in this Environment,” the G Data analysis concluded.

It’s reasonable to suspect Russians, but impossible to be certain Uroburos came from them, or from any state intelligence agency, according to independent security guru Graham Cluley, who was among the first to pick up on the significance of G Data’s discovery.

” What’s perhaps most embarrassing for all concerned is G Data’s claim that one of the oldest drivers identified in the Uroburos rootkit was compiled in 2011,” Cluley wrote, “meaning that it has gone undetected by everyone for at least three years.”

Image: Shutterstock.com/ Sergei Butorin