The German computer security and antivirus detection company G Data Security has alleged that the Russian government is behind the newly detected malware known as "Uroburos."
G Data bases its case for Russian government involvement on the complexity of the malware and the presence of Cyrillic words in the malware sample. G Data blog author "MN" points to file names, encryption keys, and behavior of Uroburos as evidence that the Russian government played a role in the creation of the malware.
Another key component, said MN, is that Uroburos looks for a previous piece of malware that's been tied to Russia, but not its government conclusively.
"Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed," said MN. Agent.BTZ is extremely damaging malware linked to a severe attack against the Pentagon in 2008.
Just yesterday, at the TrustyCon conference for trustworthy technology, Mikko Hypponen, the chief technology officer at security firm F-Secure, said there are few governments actively involved in writing and distributing malware.
"Ten years ago this would've been science fiction," he said. Arguably the most famous example of government-sourced malware is the Stuxnet worm, which targeted a specific kind of software that controls nuclear facilities. The United States and Israel have been implicated in the creation and distribution of Stuxnet.
Uroburos is a rootkit made of two files, "a driver and an encrypted virtual file system," that can "take control of an infected computer, execute arbitrary commands, and hide system activities." The malware is highly dangerous, MN alleges, because its structure is "modular" and "flexible," meaning that new malicious functions can be added to it easily.
"Uroburos' driver part is extremely complex and is designed to be very discrete and very difficult to identify," MN said. In the Uroburos sample discussed by G Data, the malware is designed to steal files and monitor network traffic.
The malware name is a variant spelling for Ouroboros, the ancient Greek symbol of a snake or dragon eating its own tail.
GData says that Uroburos is "one of the most advanced rootkits we have ever analyzed" and pegs its origins to 2011, the earliest year that its driver was compiled. It works on both x86 and x64 Windows computers.
According to G Data, it operates by commanding one infected computer with an Internet connection to infect other networked computers, even those without a direct connection to the Internet. Uroburos gathers whatever data it's been instructed to collect, then surreptitiously sends it back to the malware authors using the same method of hopping from machine to machine until it finds one with an Internet connection.
"This malware behavior is typical for propagation in networks of huge companies or public authorities. The attackers expect that their target does have computers cut off from the Internet and uses this technique as a kind of workaround to achieve their goal," said MN.
Neither G Data nor the Russian consulate in San Francisco returned requests for comment. CNET will update the story when we hear back.