Security firm spots suspicious 'Uroburos' rootkit: Is this Russia's Stuxnet?

Malware that has been infecting networks since as far back as 2011 and quietly stealing data is linked to 'Agent.btz' attack on US military

'Uroburos' is an advanced rootkit that has been infecting networks since as far back as 2011, quietly stealing data after setting up rogue P2P networks within its high-level targets.

It's modular, displays unusual complexity and is suspiciously discreet. Almost certainly programmed in Russia (from references in the code), it checks targets for the presence of the USB stick-loving Agent.btz ('Buckshot Yankee'), a mostly-forgotten worm that successfully got behind U.S. military firewalls in 2008. If it finds it, it does not activate.

[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

According to German security firm G Data, which has researched the new malware, the latter is a bit of a giveaway because Agent.btz was also almost certainly of Russian origin.

It's not quite the Soviet Stuxnet perhaps, but might Uroburos be the first confirmed example of a well-established Russian government cyber-weapons programme? One piece of suspicious malware is interesting, two downright odd.

"This malware behaviour is typical for propagation in networks of huge companies or public authorities. The attackers expect that their target does have computers cut off from the Internet and uses this technique as a kind of workaround to achieve their goal," said G Data in a teaser before it reveals a more detailed analysis. We're all ears.

"According to all indications we gathered from the malware analyses and the research, we are sure of the fact that attacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence agencies and similar targets."

Dating back to 2011 according to compile dates, its mode of infection remains a mystery but take your pick.

For the record, the name Uroburos (or Ouroboros) comes from a string found in the malware, and references an ancient Egyptian symbol of a serpent eating its own tail. For cyberwar experts, never a dull moment.

This story, "Security firm spots suspicious 'Uroburos' rootkit: Is this Russia's Stuxnet? " was originally published by Techworld.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies