Does anyone know if there is at least an extra.dat for this? it would be nice to push out something before leaving for the weekend
What is Uroburos?
Uroburos is a rootkit that consists of two files - a driver and an encrypted virtual file system. Attackers can use this malware to take control of the infected PC, execute any program code on the computer and cover up their actions on the system. Uroburos is also capable of stealing data and recording network data traffic. The modular structure enables attackers to enhance the malware with additional functions. Due to this flexibility and modularity, G Data considers this rootkit to be very advanced and dangerous.
technical Complexity Points to Origin in the Secret Service
The complexity and design of Uroburos attest to the malware being very complex and costly to develop. G Data believes that highly trained developers must have been involved. The German IT security provider therefore assumes that cyber criminals were not involved in the development, and think that a secret service is behind Uroburos. The experts also think that the programmers are likely to have developed an even more advanced rootkit that has not been discovered yet.
Uroburos is designed to work in large networks belonging to companies, public authorities, organizations and research institutions: the malware spreads autonomously and works in "peer-to-peer" mode, where the infected computers in a closed network communicate directly with each other. The attackers only need a single computer with Internet access. The pattern shows that the attackers have taken into account the fact that networks often include PCs that are not connected to the Internet as well. The infected computers spy on documents and other data and transfer these to the PC with the Internet connection, from which all the data that has been collected is transferred to the attacker. Uroburos supports both 32 and 64 bit Microsoft Windows systems.
Link to Russian Attack on USA Suspected
Based on the technical details, file names, encryption and behavior of the malware, G Data experts see a connection between Uroburos and a cyber attack that was carried out on the US in 2008 - the same attackers are presumed to be behind those attacks and the rootkit that has just been discovered. On that occasion, malware called "Agent.BTZ" was used. Uroburos checks infected systems to see whether the malware is already installed, in which case the rootkit does not become active. G Data also found indications that the developers of both malware programs speak Russian.
The analysis shows that the attackers are not targeting ordinary Internet users. The operational effort is only justified for worthwhile targets, i.e. large corporations, public institutions, secret services, organizations and similar targets.
Probably Undetected for More Than Three Years
The Uroburos rootkit is the most advanced piece of malware that the security experts at G Data have ever analyzed in this environment. The oldest driver that was found in the analysis was compiled in 2011. This indicates that the campaign has been undetected since then.
The Infection Vector Remains Unclear
So far, it has not been possible to determine how Uroburos initially infiltrates a high profile network. The attacks can happen in a number of ways, e.g. spear phishing, drive-by infections or social engineering attacks.
What Does the Name Mean?
G Data has called the malware "Uroburos" after a corresponding name used in the source code, which is based on an ancient Greek symbol of a serpent or dragon eating its own tail.
Solved! Go to Solution.
>> The detection will be as follows- "Trojan-Fdsg, Dropper-FKG"
There's a typo in what you're searching for based on MTIS 14-039
It's Trojan-FDSD (not Trojan-FDSG)
Updated DAT: 7372 (2014-03-09)
Please see the "McAfee Labs Security Advisory" (MTS14-039) March 06/2014
It can be located and viewed from the (Main) Security Awareness Page under Documents.
Edit: Enjoy your weekend knowing McAfee has your "Back"
CatDaddyMessage was edited by: catdaddy on 3/7/14 7:12:24 PM CST
This is not high risk for American corporations, at least not right now. I just got the latest report from BAe Systems which gives details of the affected locations. Most are in Ukraine and Lithuania, with only 2 in the US. This is an extremely targeted operation, and the US is not (edit : or at least, does not appear to be) one of the main targets.
Worry if you like, but not very much.
You should definitely worry about the next one, the one that hasn't been found yet, regardless of who is running the operation.
As I always highly respect the viewpoint of all Moderators, and have on numerous occasions. Clearly stipulated that any advice-or posting on my part. I consider their input as more knowledgeable as mine. Quite simply put...they know better.
Having said that...irregardless of the here-in mentioned threat as being one to be of concern. I simply posted that a "Note-worthy" event has taken place in regards to the threat mentioned. It clearly states that effective (today) 3/10/2014 that the updates will sufficiently provide "Detection-Protection" for the (Uroburous Malware) most noteably with Dat (7373). This is specifically associated with the (revised) Noteworthy event described by Thux.
The detection will be as follows- "Trojan-Fdsg, Dropper-FKG"
In other words...although the mentioned threat to Corporate Entities, need not to be overly concerned at this moment in time (As Hayton stated) McAfee has made appropiate steps to assure ,if such be the case...they are covered.
Message was edited by: catdaddy on 3/10/14 5:33:47 PM CDTMessage was edited by: catdaddy on 3/10/14 5:56:04 PM CDT
My 2 cents worth... From what I have read this has been a threat that has been out in the wild for several years undetected. That being said, since no detection had been available until yesterday, how do we really know who has been impacted and to what degree. If it has been hard to detect for the threat professionals, then it quite possibly may not be known by the average person.
I think the warning was intended more for the fact that it was an intended attack on Americans and therefore, Americans should be concerned and should be monitoring for suspicious activity no matter what the threat may be. Quite frankly, we are not professionals in the threat industry and I for one could not possibly tell you if we had been impacted or not without the tools to do so.
I have always believed that, he who fears not, is an fool in waiting. Today's digiality is a reality we all need to fear to some degree.
With complete respect
PS... McAfee did note it as "High Risk"Message was edited by: sol on 3/11/14 6:37:36 AM CDT
As you said, Uroburous Malware was NOT included in DAT 7373 with the detection/threat names "Trojan-Fdsg, Dropper-FKG"
Please let me know the McAfee Detection name for Uroburous Malware and it's DAT version if it already inculded in the Current DAT.
7373 DAT release notes says the following line:
Dat Version:7373 DAT Release Date:03/10/2014 Threats Detected:668961 New Detections:0 Enhanced Detections:180 Enhanced detections are those that have been modified for this release. Detections are enhanced to cover new variants, optimize performance, and correct incorrect identifications. Noteworthy threats are those that had an Avert risk assessment of Low-Profiled, Medium, Medium-On-Watch, High, or High-Outbreak at the time of DAT release. Noteworthy Threats: Name Corporate Risk Assessment Home Risk Assessment There are no noteworthy threats in this release New Detections: There are no new detections in this release.