Russian Snake Virus: 8 Years of Data Stoel by Uroboros

It has been discovered that a Russian Snake Virus, Uroboros has been stealing data for 8 years. Despite being disvoered virus will be present on many systems, and will go on stealingas it is incredibly difficult to detect.

Where did the virus come from?

It has been called the Russian Snake Virus, as many experts believe the virus was developed in Russia. Snake because some believe the Russian government sponsored it. Why? Because of the sophisticated make up of the virus. A malicious program as complex as Uroboros is believed to have been given d state sponsorship.

Foreign governments have been known to developed viruses before. China was behind the APT1 virus. Links have been found that tie the virus to the Chinese military. However, so far no link has been proven between the Russian government and Uroboros.

The virus was not developed in order to steal data from individuals. The creators had other higher aims. The International Business Times reported that the virus was created to illegally obtain government secrets and strike at telecoms systems.

The precise targets have not all been made public by the experts who discovered the virus, but another link to Russia comes from the fact that Ukraine was attacked 14 times by Uroboros. It would ar that the Department of Defense of the United States was also attacked by the Russian Snake Virus in 2010.

The virus is, at present being analyzed by UK firm BAE and German company Gdata. As for the level of complexity, it is reportedly equivalent to Stuxnet. For anyone not familiar with Stuxnet, it was created and used by the U.S. and Israel to destroy Iranian nuclear reactors. It meant that they spun out of control until they were destroyed. .

Uroboros is a rootkit and hides inside kernel-level processes. Due to  this it has remained undetected. Anti-Virus engines do not scan there, allowing it to remain undiscovered for so long.

The official review of Uroboros by BAE is secret and, while more is now certain, since the virus is part of an ongoing operation few details have been made public The virus is still working and may be attacking or monitoring foreign government systems right now. What is known is Uroboros targets a vulnerability in Windows along with software running on the Windows platform. The virus has managed to go on working despite new security features being incorporated into the operating system.

How does Uroboros work?

From the data made available so far it is known that Uroboros hijacks a operating process. It hides inside of processes that are part of Windows so avoids detection. Due to this, AV engines do not detect it. The AV software assumes it is part of Windows, and fails to flag the virus or hijacked service as being dangerous. The virus is thought to inject DLLs into the running process.

It sends data at the user and kernel level. When a user powers up their browser, the virus submits a GET request and obtains instructions from the hacker’s command and control center. Since many legitimate requests are usually made, the GET request from the virus remains unseen. The use of HTTP also permits it to bypass firewalls. Uroboros is not always enabled either. It may be for a short period of time before going to sleep. It is told to do this by the hacker managing the virus, and may sleep for months if required.

One question that has not been considered is how the Russian Snake Virus infiltrates a computer. According to BAE, Uroboros is installed by a USB plugged into a computer, but it may also be downloaded using a phishing email. It is known to hack network processes, and monitor and intercept inbound and outbound traffic. It is capable of stealing data and logs and can receive inbound commands.

A security flaw in Oracle Virtualbox has been targeted by the virus, allowing access to be obtained to the kernel memory. It updates a variable indicating Windows was started in WinPE mode. Unsigned DLL files can then be installed. These files do not have their owner and integrity verified. The Russian Snake Virus can monitor mounting virtual and physical drives, and different versions exist allowing it to be installed on different operating systems.

Sadly, with malicious software such as the Russian Snake Virus it is difficult to totally safeguard a computer. There are steps that can be taken to lessen the likelihood of infection:

  • The virus may be shared through phishing and spam emails: Block these using Anti-Spam software
  • Provide training on anti-phishing strategies to employees
  • Forbid the use of all USB drives in your organization
  • Maintain software systems up to date with patches and, better still, upgrade Windows to the latest version
  • Deploy diskless devices such as Chromebooks as much as you can.
  • See to it that packet-level inspections read HTTP traffic to look for signals that malware or viruses are communicating with command and control servers
  • Data encryption can be deployed to protect stored data, but unfortunately not the memory

Currently, the virus is believed to be used to attack foreign governments. Unfortunately, when details are published they can be used to develop variants. Non state-sponsored hackers may not have been able to develop the virus, but the techniques used to exploit computers and networks can be copied. This may already have taken place.


Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has focus on data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone.