G Data, a German software house and anti-virus specialist, published details on Uroburos on 28 February, but without saying where or how it found the malware. It describes it as "a very complex and sophisticated piece of malware, designed to steal confidential data." Its purpose is to infiltrate large networks using a peer-to-peer structure to get to and steal data even from those PCs that aren't directly connected to the internet. Such computers are more likely to contain the victim's most confidential data.
In one sense, it uses an internet-connected infected computer as a C&C device to collect confidential files from the victim network before sending them out to the attackers' own servers. The malware itself comprises a rootkit and an encrypted virtual file system, and is highly modular – which makes it, says G Data, not only "highly sophisticated but also highly flexible and dangerous. Uroburos' driver part is extremely complex and is designed to be very discrete and very difficult to identify."
G Data is careful not to specify that Uroburos was developed by the Russian intelligence services, but makes it clear that it believes so. Technical similarities with older malware known as Agent.BTZ makes the company believe it was produced by the same group – Uroburos even checks for the prior existence of Agent.BTZ and remains inactive if it is found.
Agent.BTZ was used in an attack against the US in 2008. "During this 2008 campaign," says the G Data report, "a USB stick was deliberately 'lost' in the parking lot of the United States Department of Defense. This USB stick contained malicious code and infected the military’s network." The report then goes on to highlight a Reuters report from 2011 that states the "U.S. government strongly suspects that the original attack was crafted by Russian Intelligence.”
The complexity, sophistication, and targeting suggests that Uroburos has national intelligence resources behind its development. G Data indicates that it believes it to be Russian. Security expert Graham Cluley injects some caution. Snippets of language within the code are not necessarily "proof beyond reasonable doubt that citizens of a particular country were responsible, let alone that the attack has the backing of the country’s government. The truth is that attribution when it comes to malware attacks is extremely difficult."
This was highlighted by another recently discovered cyberweapon, the Mask, discovered by Kaspersky Lab, containing Spanish language snippets. "We should also not exclude the possibility of a false flag operation, where the attackers intentionally planted Spanish words in order to confuse analysis."
But regardless of who is behind Uroburos, there is one worrying aspect. "The oldest driver we identified," reports G Data, "was compiled in 2011, which means that the campaign remained undiscovered for at least three years... We believe," it adds, "the team behind Uroburos has developed an even more sophisticated framework, which still remains undiscovered."