Incident Response, Malware, TDR

Experts analyze Snake, Uroburos malware samples dating back to 2006

Researchers with BAE Systems Applied Intelligence have determined that a possibly Russian-fueled malware campaign known as Snake, or Uroburos, may actually date back as far as 2006, instead of 2011 as initially presented by a German security company last week.

Germany-based G Data SecurityLabs released a “Red Paper” last week explaining that Uroburos is a rootkit, composed of two files, that is able to take control of infected machines, execute arbitrary commands, hide system activities, and, ultimately, steal information and capture network traffic.

“Our research builds on this and looks across dozens of samples going back to 2006 and provides context around the wider campaign associated with this toolkit,” David Garfield, managing director of cyber security with BAE Systems Applied Intelligence, told SCMagazine.com in a Friday email correspondence. The group released a report on Friday.

Part of the BAE research involves the inclusion of various appendixes that detail technical indicators for tipping off an organization that it is being compromised by the malware, Garfield said, adding that these should be deployed as soon as possible.

The German researchers suggested a Russian agency is behind the highly sophisticated malware. A number of technical details led them to believe that the group behind Uroburos is also behind a 2008 attack against the U.S. using a piece of malware known as Agent.BTZ, with the use of the Russian language being one connecting factor.

“Our report shows that a technically sophisticated and well organized group has been developing and using these tools for the last eight years,” Garfield said. “There is some evidence that links these tools to previous breaches connected to Russian threat actors, but it is not possible to say exactly who is behind this campaign.”

BAE is not in a position to reveal specific victims of the Snake campaign, but analyzed malware samples were discovered around Eastern Europe, Garfield said, adding that attackers targeted groups around the globe that maintain sensitive information.

Garfield could not say specifically how the targeted networks are being infected by Snake, but explained that similar malware has previously been delivered via phishing attacks, drive-by attacks, and even USB sticks.

“The reality is that there are a range of techniques available to attack groups to infiltrate organizations and the attackers will evolve their techniques over time to maintain access,” Garfield said. “Organizations need to have a range of defenses in place to defend themselves.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.