Russian State-Sponsored Malware Discovered in the Wild

Researchers from the German netsec security firm G Data have announced they had discovered a new malware/rootkit combo which has been running unabated for over three years.

Named after the mythical snake which is usually pictured eating its own tail, Ouroboros functions in much the same way you would expect a standard widely-cast botnet would, i.e- recording traffic, creating zombie relays, and replicating as much as possible over a peer-to-peer network.

Ouroboros relies on two separate file systems to operate, one on NTFS and another on FAT in order to elude detection and stay compatible with as many different systems as it can on its trip around the world. From here hackers are able to run any programs, rootkits, or exploitation tools necessary to compromise a computer and set it up to accept connections from unknown sources or malicious redirects.

Researchers at G Data have ample reason to suspect this is not just the work of your everyday hacker, with complex code and anti-detection techniques so advanced they may very well be the result of state-sponsored efforts. With points of origin in both Moscow and St. Petersburg.

Due to its similarity to a bug that hit the US six years ago, G Data surmises that the team behind Ouroboros is likely cut from the same cloth:

“Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Ouroboros is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ. Ouroboros checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Ouroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ.”

So far the targets for Ouroburos have ranged from nation states, intelligence agencies, and high-profile corporate and banking entities that work closely with the government on issues like homeland security and potential cyberattacks. Still no word on exactly how the worm spreads or what vectors it uses to infect its victims, but much of this information is expected to come to light as researchers pore through code over the next few weeks.