Uroburos Profile

Security experts at antivirus focused software company, GData, have discovered “one of the most advanced rootkits we have ever analyzed in this environment”. Named Uroburos due to the plain-text string’s presence in several driver files, this very complex and highly sophisticated piece of malware was designed to discretely steal confidential data while remaining extremely difficult to identify. A compile date of 2011 on the oldest identified driver file implies that both the malware and campaign behind the malware have remained undetected for at least three years. GData asserts that “The development of a framework like Uroburos is a huge investment;” that based on complexity and design the development team is comprised of highly skilled computer experts, and that “the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered.” Further, based on the development cost, software complexity, and the spying techniques used, Uroburos is assumed to target governments, research institutes, and/or large business entities. Interestingly, identifiers such file names, program behavior, language usage and encryption keys, show striking similarities to the Agent.BTZ malware used in a 2008 cyber attack against the United States. Both pieces of malware contain heavy use of Russian, the same obfuscation key, and Uroburos checks for the presence of Agent.BTZ prior to installing, remaining inactive if the older malware exists on the system. Uroburos showcases its complexity in its ability to disguise malicious behavior. By using custom written libraries, Uroburos modifies targeted system functions to redirect execution flow through a technique known as inline patching. As a result, the malware is able to add malicious behavior to legitimate functions.        

The libraries also have the capability to create packet captures and are used to exfiltrate data to the outside world through one of several identified protocols:

HTTP ICMP SMTP Named Pipe Named Pipe is significant here because it provides a route for the rootkit, to and from systems which are not connected to the internet. The following graphic shows how Machine A is controlled by, and passes information back to, Machine B which then has the ability to exfiltrate data outside of the infected environment. Machine B can represent any infected host in the infrastructure with an internet connection creating an extremely efficient, scalable and resilient peer-to-peer network design.

Closing words from Gdata: “This kind of data stealing software is too expensive to be used as common spyware. We assume that the attackers reserve the Uroburos framework for dedicated and critical targets. This is the mainreason why the rootkit was only detected many years after the suspected first infection. Furthermore, we assume that the framework is designed to perform cyber espionage within governments and high profile enterprises but, due to its modularity, it can be easily extended to gain new features and perform further attacks as long as it remains undetected within its target.”

Technical Details: SHA256: BF1CFC65B78F5222D35DC3BD2F0A87C9798BCE5A48348649DD271CE395656341 MD5: 320F4E6EE421C1616BD058E73CFEA282 Filesize: 210944

Current AV detection: Virustotal currently shows a detection ratio of 31/50 with the phrase ‘turla’ appearing in most naming conventions.

Things to look for: HKLM\System\CurrentControlSet\Services\Ultra3

Information regarding Agent.BTZ http://www.f-secure.com/v-descs/worm_w32_agent_btz.shtml http://en.wikipedia.org/wiki/2008_cyberattack_on_United_States

Link to GDATA full report (Reference Data): https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf  

Bernard Brantley, Security Researcher