Infinity vs. The Real World: Uroburos

Uroburos is a rootkit that’s been around for years but has only recently caught the attention of the broader security community. The malware, as analyzed by G Data, is believed to have been developed by the Russian government for the purpose of state-sponsored cyber espionage. To quote the report by G Data, “The Uroburos rootkit is one of the most advanced rootkits we have ever analyzed.” Going undetected by everyone for over three years, leads us here at Cylance to ask “how would our mathematical ensembles stand up to it?”

The report mentions the hash for the driver used by the rootkit: 320F4E6EE421C1616BD058E73CFEA282. This file—originally submitted to public and private malware feeds on October 20th, 2011—remained undetected by every AV engine until February 28th, 2014.

Let’s see what happens when we run this same file through our latest ensemble generated on February 5th, 2014.

uroburos-3

Infinity detects this driver as a threat with a 70% confidence rating.

The report explicitly identifies only one sample, but we can identify that it’s a member of the Turla rootkit group. Researchers here at Cylance have identified historical samples of Turla. Let’s see how well we detect these versions over the years.

For samples dating back to 2006, we detect all three samples as threats with 100% confidence.

uroburos-4

For samples dating from 2009 and 2010, we detect all three as threats with confidence ranging from 81% to 100%.

uroburos-5

For samples from 2013, we detect both as threats with 98% and 99% confidence.

uroburos-6

Under the protection of CylancePROTECT and the CylanceV API, your organization can thwart these advanced threats before anyone else identifies them as such. Want to get plugged in to the power of PROTECT? Request a demo from a Cylance expert and stay one step ahead of the attackers.

Samples:

320f4e6ee421c1616bd058e73cfea282
25caaa45a82b69ac803713f33f0f0db3
cff0392ac2a1d782f43f7938ea18af4f
eb438789c721fd0bf75eed837ffcc2c7
9dc0f7e7aec2bda05d70fdfa2fc50bd0
0482d1652c2a0e6c16ca3e2a53be0783
938b92958ded4d50a357d22eddf141ad
626576e5f0f85d77c460a322a92bb267
a86ac0ad1f8928e8d4e1b728448f54f9

- Brian Wallace
Researcher, Cylance, Inc.