New Cyber Espionage Malware Named Uroburos/Snake Detected By Cyber Security Researchers

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBThe traditional Cold War Era may be over but the Technology Assisted Cold War is still in vogue. Developed Nations have been making and using Sophisticated Malware that is well beyond traditional and modern Cyber Security Mechanisms. Even well trained Cyber Security Professionals cannot detect them till these Malware have already achieved their Surveillance and Espionage tasks.

For instance, Malware like Stuxnet, Duqu and Flame have simply proved this point. They kept on creating havoc for many years in an undetectable and covert manner. They were detected only recently and since then their variants have been making rounds in the Cyberspace.

These Malware are not the tasks of a group or company but expert malware makers that are supported by Developed Nations. The United States has been accused of making these Malware in the past and it is also believed that U.S. is the biggest buyer of Malware in the World. U.S. has also been accused of using a combination of Radio Waves and Malware to spy upon other Countries. It is well known that Global Cyber Espionage Networks are being actively and covertly used to Spy on other Nations. This is evident from the fact that the Command and Control Servers of Malware FinFisher were also found in 36 Countries, including India.

Countries across the World have started to strengthen their Cyber Security Capabilities. While protecting their own Cyberspace domain, various Countries must understand that Cyber Security is an International Issue (PDF) and not a National one. Therefore, an International Cyber Security Treaty is Required (PDF). In the absence of international harmonisation in this crucial field, countries would keep on attacking one another in the Cyberspace.

In the latest news in this regard, G Data Security experts have analysed (PDF) a very complex and sophisticated piece of malware, designed to steal confidential data. G Data refers to it as Uroburos, in correspondence with a string found in the malware’s code and following an ancient symbol depicting a serpent or dragon eating its own tail.

According to G Data Uroburos is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identify.

BAE systems have labelled it as “Snake” (PDF) and it has identified two distinct variants, both highly flexible but with two different techniques for establishing and maintaining a presence on the target system. In general, its operation relies on kernel mode drivers, making it a rootkit. It is designed to covertly install a backdoor on a compromised system, hide the presence of its components, provide a communication mechanism with its command and control (C&C) servers, and enables an effective data exfiltration mechanism. At the same time, Snake exposed a flexibility to conduct its operations by engaging these noticeably different architectures.

According to media reports, ‘Uroburos’ has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it. It now transpires that Snake has been slithering silently around networks in the U.S. and its NATO allies and former Soviet states for almost a decade, stealing data, getting ever more complex and modular and remaining almost invisible.

Culling data from malware research sites (i.e. those to which suspected malware samples are submitted for inspection), it has been spotted 32 times in the Ukraine since 2010, 11 times in Lithuania, 4 times in the UK, and a handful of times altogether from the US, Belgium, Georgia, Romania, Hungary and Italy.

These are very small numbers but cyber security firm(s) believes that on past experience they are highly indicative. While they represent a tiny fraction of the number of infections that will have occurred in these countries and beyond, they can be used to reliably infer that Snake has been aimed at Western and Western-aligned countries pretty much exclusively. While none have specifically named Russia as the originator for this malware yet some have put the country under suspicion.

Hints of the malware’s provenance have surfaced from time to time. In 2008, the U.S. Department of Defense (DoD) reported that something called, Agent.btz had attacked its systems, an incident later attributed on more than one occasion to the Russian state without further elaboration. Beyond that the evidence is circumstantial and it is very difficult to attribute Cyber Criminality with great certainty.