Thursday, 6 March 2014

G Data found Russian cyber weapon - rootkit Uroburos

Uroburos RootKit Malware
Because of its complexity, Uroburos impossible to detect or destroy conventional methods 

Ouroboros - a classic antique symbol of the serpent devouring its own continuously tail. Like taking off her example, «Uroburos» - a new kind of malware which tends to absorb the network - in this case, perhaps as part of a spyware plan.

According to experts, the rootkit that steals confidential information used by hackers since 2011.

The specialists of the German company G Data found a new malicious program designed to steal confidential information. According to the data of professionals engaged in the development of malware Russian special services. Rootkit Uroburos got its name from a mythical dragon, as well as the sequence of characters within the code of the malware: Ur0bUr () sGotyOu #.

Uroburos steals files from infected computers and intercepts network traffic. A malicious program designed to work in P2P mode to establish communication between the infected systems. This feature allows you to remotely access the same computer with an Internet connection in order to control other PCs on a LAN.

It is interesting that in order to hide their activities rootkit uses two virtual file system - NTFS and FAT, which locally are on the infected machine. These file systems could allow attackers to be stored on the victim's PC party tools, tools for post-operation, temporary files, and binary output. Access to virtual file system can be accessed through the device: Device \ RawDisk1 and Device \ RawDisk2, as well as CDs \ \. \ Hd1 and \ \. \ Hd2.

G Data experts say: "The creation of such structures as Uroburos requires huge investments. The development team of this malware, obviously consists of highly qualified IT-specialists. Such a conclusion can be drawn by analyzing the structure and modern design of the rootkit. We believe that the developers are also improved versions Uroburos, which will appear in the future. "

Finding certain specifications (file name, encryption keys, behavior, etc.), representatives of the G Data suggested that a group of authors Uroburos intruders, which in 2008 carried out an attack on the computer systems of the U.S. with the help of malware Agent.BTZ.

Experts say that before installing the system on its victims Uroburos checks for the presence of Agent.BTZ. If present, the new rootkit remains inactive. Evidence that the creation of Russian Uroburos can stand is that in the code of the malware is present Cyrillic.

Recall that after the attack on the system Agent.BTZ United States banned the use of American military USB-drives and other removable media. While it was assumed that infection of the Ministry of Defence was through USB-drive.

According to statements made by G Data, the authors aim Uroburos are large enterprises, the state intelligence agencies and other organizations. Presumably, the rootkit has been used for three years, as the most long-standing version of the program were written in 2011.

Technical details SHA256: BF1CFC65B78F5222D35DC3BD2F0A87C9798BCE5A48348649DD271CE395656341 MD5: 320F4E6EE421C1616BD058E73CFEA282 Filesize: 210944

Detail from G Data Report is available: Here

No comments:

Post a Comment