G Data Discovers Suspected Secret Service Software

Share Article

Uroburos - Highly Complex Spyware With Russian Roots


Uroburos Graphic

The design and high level of complexity of the malware therefore give rise to the assumption that it originated from a secret service

Security experts at G Data have discovered and analyzed highly sophisticated and complex spyware. This is designed to steal highly sensitive secret information from high potential networks such as national institutions, intelligence services or large corporations. The rootkit, called Uroburos, works autonomously and spreads in the infected networks on its own. Even computers that are not directly connected to the Internet are attacked by this malware. G Data believes that building such software requires substantial investments in personnel and infrastructure. The design and high level of complexity of the malware therefore give rise to the assumption that it originated from a secret service. Based on technical details such as file names, encryption and software behavior, it is suspected that Uroburos could come from the same source that also launched a cyber attack on the USA in 2008. On that occasion malware called "Agent.BTZ" was used. The German IT security provider estimates that this spyware has remained undetected for at least three years. Experts at G Data SecurityLabs has published additional details and a comprehensive analysis paper on the G Data security blog (http://blog.gdatasoftware.com/blog.html).

What is Uroburos?
Uroburos is a rootkit that consists of two files - a driver and an encrypted virtual file system. Attackers can use this malware to take control of the infected PC, execute any program code on the computer and cover up their actions on the system. Uroburos is also capable of stealing data and recording network data traffic. The modular structure enables attackers to enhance the malware with additional functions. Due to this flexibility and modularity, G Data considers this rootkit to be very advanced and dangerous.

technical Complexity Points to Origin in the Secret Service
The complexity and design of Uroburos attest to the malware being very complex and costly to develop. G Data believes that highly trained developers must have been involved. The German IT security provider therefore assumes that cyber criminals were not involved in the development, and think that a secret service is behind Uroburos. The experts also think that the programmers are likely to have developed an even more advanced rootkit that has not been discovered yet.

Uroburos is designed to work in large networks belonging to companies, public authorities, organizations and research institutions: the malware spreads autonomously and works in "peer-to-peer" mode, where the infected computers in a closed network communicate directly with each other. The attackers only need a single computer with Internet access. The pattern shows that the attackers have taken into account the fact that networks often include PCs that are not connected to the Internet as well. The infected computers spy on documents and other data and transfer these to the PC with the Internet connection, from which all the data that has been collected is transferred to the attacker. Uroburos supports both 32 and 64 bit Microsoft Windows systems.

Link to Russian Attack on USA Suspected
Based on the technical details, file names, encryption and behavior of the malware, G Data experts see a connection between Uroburos and a cyber attack that was carried out on the US in 2008 - the same attackers are presumed to be behind those attacks and the rootkit that has just been discovered. On that occasion, malware called "Agent.BTZ" was used. Uroburos checks infected systems to see whether the malware is already installed, in which case the rootkit does not become active. G Data also found indications that the developers of both malware programs speak Russian.

The analysis shows that the attackers are not targeting ordinary Internet users. The operational effort is only justified for worthwhile targets, i.e. large corporations, public institutions, secret services, organizations and similar targets.

Probably Undetected for More Than Three Years
The Uroburos rootkit is the most advanced piece of malware that the security experts at G Data have ever analyzed in this environment. The oldest driver that was found in the analysis was compiled in 2011. This indicates that the campaign has been undetected since then.

The Infection Vector Remains Unclear
So far, it has not been possible to determine how Uroburos initially infiltrates a high profile network. The attacks can happen in a number of ways, e.g. spear phishing, drive-by infections or social engineering attacks.

What Does the Name Mean?
G Data has called the malware "Uroburos" after a corresponding name used in the source code, which is based on an ancient Greek symbol of a serpent or dragon eating its own tail.

Company Profile
IT Security was invented in Germany: G Data Software AG is considered to be the inventor of AntiVirus. It was more than 25 years ago that the company, founded in Bochum in 1985, developed the first program to combat computer viruses. These days, G Data is one of the world's leading providers of IT security solutions.

Test results prove that IT security "Made in Germany" offers Internet users the best possible protection. Stiftung Warentest has been testing Internet security products since 2005. In all six tests performed between 2005 and 2013, G Data achieved the best virus detection. In comparative tests by AV-TEST, G Data regularly demonstrates the best results in the detection of computer malware. Internationally, G Data InternetSecurity has also been awarded best Internet security package by independent consumer magazines – in countries such as Australia, Austria, Belgium, France, Italy, the Netherlands, Spain and the USA.

The product range comprises security solutions for end customers as well as medium to large-sized enterprises. G Data security solutions are available worldwide in more than 90 countries.

For more information about the company and G Data security solutions, see http://www.gdatasoftware.com or contact the G Data Distribution Partner for North America: Contronex, Inc. 660 Ninth Street North, Naples, FL 34102 (http://www.contronex.com).

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Beat Kramer
Contronex, Inc.
+1 (239) 649 7836 Ext: 113
Email >

Thorsten Urbanski
G Data Software AG
+49 (0) 234 9762-239
Email >
since: 01/2012
Follow >
since: 04/2011
Like >
Contronex, Inc.

Follow us on
Visit website