A widely-reported virus that has infected users in the Ukraine has been detected as widely as the UK and USA.
Called the “Snake” or “Uroboros” virus, it has been compared to the Stuxnet worm and the finger of blame has been pointed at Russia. According to io9.com, the virus works by giving the attacker full remote access to the compromised system and it has the ability to stay inactive for a number of days.
According to Jaime Blasco, director of AlienVault labs, the virus, also known as Turla, is related to another piece of malware called Agent.BTZ that was found in an USB stick in 2008 in a parking lot of a government building in the United States.
Analysis of the malware by BAE Systems Applied Intelligence has found that its developers operate in the same timezone as Moscow and some Russian text is embedded into the code. BAE said it identified 14 cases of Snake in Ukraine since the start of 2014, and in all there have been 32 reported cases in Ukraine since 2010, out of 56 worldwide.
Analysis of the malware development by BAE revealed that the malware has actually been in development since at least 2005 and the complexity, range of variants and techniques used by the malware suggests that Snake’s authors and operators are committed and well-funded professionals.
Tom Cross, director of research at Lancope, said that technically speaking, this is a rootkit as it is designed to enable attackers to hide on a computer network and exfiltrate data covertly. “It is not surprising to see state sponsored malware like Snake appearing on networks in Ukraine in the midst of the Crimean crisis,” he said.
“Malware activity is an integral part of international conflict today. Usually, malware is used by each side of a conflict to spy on the other side. Sometimes, such as in the case of Stuxnet, malware can also be used to disable critical systems and infrastructure. I’m not aware of any reports of Uroburos being used to disable critical infrastructure, but if a violent conflict breaks out in Ukraine it would not be surprising to see cyber attacks used in that capacity.”
Blasco said that there was no clear infection vector yet, but he suspected that a combination of Spear phishing campaigns, waterhole and strategic web compromises and even physical access to drop payloads was used.
Asked if he felt that the sudden prevalence of the Snake virus was tied to the current situation in Russia/Ukraine, Blasco pointed out the timing and the fact that it had been detected in Lithuania, UK, Belgium and Georgia too. “That being said” Blasco continued, “the current geopolitical situations of those countries makes them a good target to acquire geopolitical intelligence f
rom several countries (not only Russia). As we know there are several clues that points to the Russian origin of Snake.”
BAE called this a game changer. Martin Sutherland, managing director of BAE Systems Applied Intelligence, said: “Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously.
“The threat described in this report really does raise the bar in terms of what potential targets, and the security community in general, have to do to keep ahead of cyber attackers. As the Snake research clearly illustrates, the challenge of keeping confidential information safe will continue for many years to come. Hopefully, however, this research will help potential targets to better understand the nature of their threat adversary, and how they can build appropriate defences.”
