The
traditional Cold War Era may be over but the Technology Assisted Cold
War is still in vogue. Developed Nations have been making and using
Sophisticated Malware that is well beyond traditional and modern
Cyber Security Mechanisms. Even well trained Cyber Security
Professionals cannot detect them till these Malware have already
achieved their Surveillance and Espionage tasks.
For instance, Malware like Stuxnet,
Duqu and
Flame have simply proved this point. They kept on creating havoc for
many years in an undetectable and covert manner. They were detected
only recently and since then their variants have been making rounds
in the Cyberspace.
These Malware are not the tasks of a group or
company but expert malware makers that are supported by Developed
Nations. The United States has been accused of making these Malware
in the past and it is also believed that U.S.
is the biggest buyer of Malware in the World. U.S. has also been
accused of using a combination of Radio
Waves and Malware to spy upon other Countries. It is well known
that Global
Cyber Espionage Networks are being actively and covertly used to
Spy on other
Nations. This is evident from the fact that the Command and
Control Servers of Malware FinFisher were also found
in 36 Countries, including India.
Countries across the World have started to
strengthen their Cyber Security Capabilities. While protecting their
own Cyberspace domain, various Countries must understand that Cyber
Security is an International Issue (PDF) and not a National one.
Therefore, an International
Cyber Security Treaty is Required (PDF). In the absence of
international harmonisation in this crucial field, countries would
keep on attacking one another in the Cyberspace.
In the latest news in this regard, G Data Security
experts have analysed
(PDF) a very complex and sophisticated piece of malware, designed to
steal confidential data. G Data refers to it as Uroburos, in
correspondence with a string found in the malware’s code and
following an ancient symbol depicting a serpent or dragon eating its
own tail.
According to G Data Uroburos is a rootkit, composed
of two files, a driver and an encrypted virtual file system. The
rootkit is able to take control of an infected machine, execute
arbitrary commands and hide system activities. It can steal
information (most notably: files) and it is also able to capture
network traffic. Its modular structure allows extending it with new
features easily, which makes it not only highly sophisticated but
also highly flexible and dangerous. Uroburos’ driver part is
extremely complex and is designed to be very discrete and very
difficult to identify.
BAE systems have labelled it as “Snake”
(PDF) and it has identified two distinct variants, both highly
flexible but with two different techniques for establishing and
maintaining a presence on the target system. In general, its
operation relies on kernel mode drivers, making it a rootkit. It is
designed to covertly install a backdoor on a compromised system, hide
the presence of its components, provide a communication mechanism
with its command and control (C&C) servers, and enables an
effective data exfiltration mechanism. At the same time, Snake
exposed a flexibility to conduct its operations by engaging these
noticeably different architectures.
According to media
reports, ‘Uroburos’ has been stalking its victims since as
far back as 2005 and large enterprises and governments need to pay
urgent attention to the threat it. It now transpires that Snake has
been slithering silently around networks in the U.S. and its NATO
allies and former Soviet states for almost a decade, stealing data,
getting ever more complex and modular and remaining almost invisible.
Culling data from malware research sites (i.e. those
to which suspected malware samples are submitted for inspection), it
has been spotted 32 times in the Ukraine since 2010, 11 times in
Lithuania, 4 times in the UK, and a handful of times altogether from
the US, Belgium, Georgia, Romania, Hungary and Italy.
These are very small numbers but cyber security
firm(s) believes that on past experience they are highly indicative.
While they represent a tiny fraction of the number of infections that
will have occurred in these countries and beyond, they can be used to
reliably infer that Snake has been aimed at Western and
Western-aligned countries pretty much exclusively. While none have
specifically named Russia as the originator for this malware yet some
have put the country under suspicion.
Hints of the malware’s provenance have surfaced
from time to time. In 2008, the U.S. Department of Defense (DoD)
reported that something called, Agent.btz had attacked its systems,
an incident later attributed on more than one occasion to the Russian
state without further elaboration. Beyond that the evidence is
circumstantial and it is very difficult to attribute Cyber
Criminality with great certainty.