Is this Russia's Stuxnet? Security firm spots suspicious 'Uroburos' rootkit

Links to 2008 'Agent.btz' attack on US military

'Uroburos' is an advanced rootkit that has been infecting networks since as far back as 2011, quietly stealing data after setting up rogue P2P networks within its high-level targets.

It's modular, displays unusual complexity and is suspiciously discreet. Almost certainly programmed in Russia (from references in the code), it checks targets for the presence of the USB stick-loving Agent.btz ('Buckshot Yankee'), a mostly-forgotten worm that successfully got behind US military firewalls in 2008. If it finds it, it does not activate.

According to German security firm G Data, which has researched the new malware, the latter is a bit of a giveaway because Agent.btz was also almost certainly of Russian origin.

It's not quite the Soviet Stuxnet perhaps, but might Uroburos be the first confirmed example of a well-established Russian government cyber-weapons programme? One piece of suspicious malware is interesting, two downright odd.

"This malware behaviour is typical for propagation in networks of huge companies or public authorities. The attackers expect that their target does have computers cut off from the Internet and uses this technique as a kind of workaround to achieve their goal," said G Data in a teaser before it reveals a more detailed analysis. We're all ears.

"According to all indications we gathered from the malware analyses and the research, we are sure of the fact that attacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence agencies and similar targets."

Dating back to 2011 according to compile dates, its mode of infection remains a mystery but take your pick.

For the record, the name Uroburos (or Ouroboros) comes from a string found in the malware, and references an ancient Egyptian symbol of a serpent eating its own tail. For cyberwar experts, never a dull moment.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecuritymalware

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place