/ TitanHQ Blog
/ The Russian Snake (Uroboros) Virus : Stealing your data for 8 years?
Posted by Geraldine Hunt on Sun, Mar 23rd, 2014
The Uroboros (Snake) virus was not detected by any anti-virus software for 8 years, and is probably still undetectable on many infected systems.
Is the Russian Goverment behind the Snake Virus?
While it is not proven that the Russian government is behind the snake (Uroboros) virus, security researchers at Gdata and BAE believe it is most likely of Russian origin, and speculate that the complicated effort to program such a sophisticated virus would have required state sponsorship. Unlike the APT1 virus which was clearly linked to the Chinese military, there is no specific proof that the Russian government or military are behind Uroboros / Snake.
The International Business Times reported that:Experts haven't identified specific victims of Uroboros attacks, but its sophisticated nature suggests it was designed to attack high-value targets like government networks and telecom systems…. It’s incredibly sophisticated nature suggest to experts that it was developed not by cybercriminals, but by a state agency.
The article says that the Ukraine has been attacked 14 times this year. Beyond that security researchers are not revealing who else had been targeted, but the Americans say that the Department of Defense was attacked by this in 2010 and that the malware is the work of a foreign intelligence agency. The German firm GData and British firm BAE have been analyzing the malware. GData says it is equal in sophistication to Stuxnet, which the Americans and Israelis used to cause Iranian nuclear centrifuges to spin out of control and destroy themselves, a daring act of espionage beyond the imagination of even the most creative spy fiction writer. The Hacker News web site is reporting that Snake is an umbrella name for a series of tools including the Uroburos rootkit. The name “rootkit” means it is designed to hide inside kernel-level processes, thus not revealing itself to antivirus software. Hacker News says Snake has been operating for 8 years undetected.
BAE Analysis of Snake
BAE has written a detailed description of Snake. The BAE whitepaper cites an interview with the US Secretary of Defense (in 2010) William J. Lynn who described a sophisticated malware attack on classified Department of Defense computers. The Secretary said this malware was the work of a foreign intelligence service, but did not reveal how he knows that. BAE, however, says they know some of the details: ‘However, the operation behind the attacks has continued with little modification to the tools and techniques, in spite of the widespread attention a few years ago’. In other words, Snake is an ongoing operation that shows no signs of winding down, so it can or could be attacking the American military and others still.
The weaknesses exploited by the hackers still exist, so their malware will keep on working for the foreseeable future. The virus targets the Window operating system and certain third-party software installed on it. Hackers have been able to bypass even the newest security features built into Windows.
How Snake works, and why it evaded detection for 8 years.
Snake works by hijacking a running process. That means that it operates inside the memory of something that is normally running on Windows such as svchost, iexplorer.exe, chrome.exe, or firefox.exe. This approach bypasses antivirus software, because the running process is not listed as malware, since it is part of the operating system or a legitimate program. Snake communicates with its command and control computers at both the kernel and user (e.g. browser) level. It waits until the user opens a browser, then makes its own GET request to obtain instructions. As BAE points out, a normal web site like a news feeder reader makes GET requests to dozens or hundreds of domains and sites. Filtering out anything that is malicious is thus made more complicated, because it looks like ordinary traffic. Since the virus uses HTTP, it is able to bypass firewalls too. As part of its way to avoid detection, Snake at times goes to sleep for a period of days or months. It receives instructions to do this from the command and control web server. For example, it might send a GET /file.jpg HTTP request and receive back the reply “1” telling it to sleep. BAE has captured network traffic showing that plus reversed engineered the .dll code to C language source code to explain how the virus works in detail.
The way processes are attacked and taken over is to take advantage of memory leaks and security weaknesses to inject malware .dlls (in the case of Windows) into the running process. Snake is not the only malware to use that approach.
Consider a simple example. If a program declares a variable like this:
but then does not assign any value to that variable, the computer has set aside memory of size sizeof(x). Then a virus can use that allocated address to direct the program to load and run a .dll, which is the hacker’s software. Then the malware has taken over the machine.
Hackers can often gain access to that variable x and others by calling a method (function) in a running program, thus bypassing security measures thus letting Windows or other software facilitate its own exploitation.
It is not known how Snake infects machines. BAE speculates that it could be an infected USB drive or email phishing. The virus works at the kernel and user layer. At the kernel layer it hacks network processes to intercept inbound and outbound traffic. That way it can both send out data and logs and listen and wait for inbound commands.
One vulnerability that helped it work is a security issue with Oracle Virtualbox. Using that, the malware is able to gain access to kernel memory and update a variable there to say that the Windows server was booted in WinPE mode. That means it was booted in such a manner that the operating system will load unsigned .dlls, a security measure that was introduced into 64 bit versions of Windows. (Unsigned software lacks a valid certificate, such as one issued by Verizon, that verifies its origin and integrity. A hacker will have a hard time getting one of those, as a countries military could not simply ring up Verisign to ask for that without raising suspicion.)
The virus is daunting in its complexity and sophistication. It deploys different versions of itself depending on what version of the operating system is running. It mounts virtual disks on the machine and uses those to store data that it then sends to the command and control center, thus stealing the same.
What can be done to Avoid Snake and similar attacks?
Perhaps the best security is to assume that hackers will always be able to bypass security and have already compromised your machines. That would suggest one should reinstall the operating systems and software on all their machines at some regular basis. Of course that would be difficult to do on mission-critical production servers.
Other possible measures to take to tighten up security include:
- Use email spam filters to block phishing emails.
- Train employees about phishing.
- Do not allow employees to plug in USB devices like drives and smart phones.
- Retire older versions of Windows like Windows 7 that have known security issues.
- Consider not using Windows at all and switch to diskless, network-only devices like Chromebooks.
- Deploy packet-level inspection to read inbound and outbound HTTP traffic to look for signs of malware communicating with command and control servers.
Note here that we don't mention encrypting data. The biggest problem with trying to use encryption to protect data is that you can encrypt data-at-rest and data-in-transit but not data while it is in memory. But Microsoft has made reading such data in memory harder by using schemes like ASLR (address space layout resolution) to assign data to memory in randomly-selected addresses instead of one contiguous block, thus making it harder for the hacker to predict where data is located. Yet encrypting data on disk will keep such data secure if an entire file is what is stolen and not individual records plucked from memory as they are processed.
Expect to see multiple variants of the Snake over the next few years
So far it appears that governments have been the primary targets of Snake. However, now that it has been detected, and it mechanisms of operation exposed publicly, it is likely that it will soon be put to use by cybercriminals to target your organization, if they have not already done so. Expect to see multiple variants of the Snake over the next few years, along with tools to enable low level hackers/script kiddies to deploy and use these variants to deliver their own payloads, or to steal specific information.
Snake underlines the need for a multi-pronged approach to network security, but also underscores the increasing sophistication of attacks and stealth that can prevent detection of the better part of a decade. This is an arms race between governments, cybercriminals and the network security industry.
So are you doomed to sit in the line of fire and hope that your network won’t be the next casualty of the cyberwar? No, you are not powerless - network security in your organization requires constant vigilance: Ensuring your network has the latest patched version of operating systems and software, inbound and outbound filtering, and that your end users are aware of the risks, and are alert to possible breaches, are all precautions you can and should be taking - and that will significantly reduce the risks.
But what else are you doing to protect your network? Please share your suggestions below: We'd love to hear your thoughts.