Security firm claims Russian government makes malware

German firm G Data Security alleges that newly detected malware known as "Uroburos" was made by the Russian government.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read
The government of Russian Prime Minister Vladimir Putin, left, is being accused by German security firm G Data of creating and distributing malware. Here, Putin, Gazprom Chief Executive Officer Alexei Miller, and former German chancellor Gerhard Schroeder look at a screen as they attend the inauguration of the Nord Stream Project information mount at the gas compressor station 'Portovaya' outside Vyborg, on September 6, 2011. Alexey Nikolsky/AFP/Getty Images

The German computer security and antivirus detection company G Data Security has alleged that the Russian government is behind the newly detected malware known as "Uroburos."

G Data bases its case for Russian government involvement on the complexity of the malware and the presence of Cyrillic words in the malware sample. G Data blog author "MN" points to file names, encryption keys, and behavior of Uroburos as evidence that the Russian government played a role in the creation of the malware.

Another key component, said MN, is that Uroburos looks for a previous piece of malware that's been tied to Russia, but not its government conclusively.

"Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed," said MN. Agent.BTZ is extremely damaging malware linked to a severe attack against the Pentagon in 2008.

Just yesterday, at the TrustyCon conference for trustworthy technology, Mikko Hypponen, the chief technology officer at security firm F-Secure, said there are few governments actively involved in writing and distributing malware.

"Ten years ago this would've been science fiction," he said. Arguably the most famous example of government-sourced malware is the Stuxnet worm, which targeted a specific kind of software that controls nuclear facilities. The United States and Israel have been implicated in the creation and distribution of Stuxnet.

Uroburos is a rootkit made of two files, "a driver and an encrypted virtual file system," that can "take control of an infected computer, execute arbitrary commands, and hide system activities." The malware is highly dangerous, MN alleges, because its structure is "modular" and "flexible," meaning that new malicious functions can be added to it easily.

"Uroburos' driver part is extremely complex and is designed to be very discrete and very difficult to identify," MN said. In the Uroburos sample discussed by G Data, the malware is designed to steal files and monitor network traffic.

The malware name is a variant spelling for Ouroboros, the ancient Greek symbol of a snake or dragon eating its own tail.

GData says that Uroburos is "one of the most advanced rootkits we have ever analyzed" and pegs its origins to 2011, the earliest year that its driver was compiled. It works on both x86 and x64 Windows computers.

According to G Data, it operates by commanding one infected computer with an Internet connection to infect other networked computers, even those without a direct connection to the Internet. Uroburos gathers whatever data it's been instructed to collect, then surreptitiously sends it back to the malware authors using the same method of hopping from machine to machine until it finds one with an Internet connection.

"This malware behavior is typical for propagation in networks of huge companies or public authorities. The attackers expect that their target does have computers cut off from the Internet and uses this technique as a kind of workaround to achieve their goal," said MN.

Neither G Data nor the Russian consulate in San Francisco returned requests for comment. CNET will update the story when we hear back.