Uroburos

There is now an extensive cyberwar taking place between Russia and Ukraine. Cyber security researchers at GData and BEA Systems have discovered a piece of malware which appears to have originated in Russia and is now being used against Ukraine.  The malware has been designed “Uroburos” by GData. Uroburos is a mythical snake or dragon which is eating its own tail. The same code is called “Snake” by BAE Systems. This graphic from BAE Systems shows the targets of Uroburos:

uroburos targets

GData released its initial report on March 3, 2014.  GData released a follow-up report on March 7, 2014. BAE Systems released their report March 7, 2014. The research of GData and BAE Systems paints a frightening picture of a highly complex piece of malicious software. Uroburos has been doing its dirty work undetected for a long time — some evidence uncovered by BAE Systems indicates that Uroburos attacks may have begun in 2005!  Uroburos combines several clever techniques to embed itself in systems and remain undetected.  Quoting from the BAE Systems report:

Now comes the most interesting part: does the dropper manage to load its 64-bit unsigned driver under 64-bit versions of Windows Vista and later versions, such as 64-bit Windows 7/8? The answer: Yes, it does.
Does it resort to using bootkit technology, which has been used in the past to bypass protections to load unsigned 64-bit drivers?  The answer: No. Bootkits must overwrite the Master Boot Record (MBR) and antivirus products are well trained to catch that kind of bad behavior.

GData explains this exploit in non-technical terms:

Once smuggled onto the system, Uroburos gets past the Kernel Patch Protection – also known as PatchGuard – which secures the core of Windows 64 bit operating systems and is designed to prevent changes being made to it. The malware manipulates the kernel and puts it into test mode. The rootkit can embed itself there without hindrance and is accepted as a valid system driver by the operating system.

How does Uroburos get smuggled into systems?  This isn’t yet known, but the researchers suspect that spearphishing is a likely route.

Spearphishers deceive people into making bad email decisions that compromise security. In the Iconix system, employees use SP Guard to make better email processing decisions.  Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.

You can contact us at  408-727-6342,ext 3 or use our online form.