Page 1 of 7

WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Posted: Thu May 31, 2012 2:49 pm
by R136a1
Flying under the radar:

The following link shows some interesting informations of a malware not yet classified: ... r&x=12&y=7

First uploaded in 2010, but some of the C&C servers are still online, so maybe it is still actively used.
Moreover it contains a kernel mode component and the origin is stated as Russian Federation, which may indicate a real challenge.

MD5 hashes

Re: Malware Requests

Posted: Thu May 31, 2012 3:52 pm
by Xylitol
@R136a1, found only these:

WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Posted: Sat Mar 01, 2014 7:10 am
by shaheen

Re: Uroburos rootkit

Posted: Sat Mar 01, 2014 8:24 am
by R136a1
For samples and some info take a look at my tweets:


Re: Uroburos rootkit

Posted: Sun Mar 02, 2014 5:18 am
by CloneRanger
@ R136a1 Good catches, Thanx :)

ALL the samples in your 2 Zips, are reported by PeStudio as Signed. But viewing Properties indicates they are Not ! Have the coders discovered a clever way of tricking the OS's into believing they are signed, or is there another reason why my screenies show what they do ?

If they have managed to do that, how ?

Sample in screenies = inj_snake_x64.dll

Re: Uroburos rootkit

Posted: Sun Mar 02, 2014 8:04 am
by R136a1
When PeStudio detects something as digitally signed, it has to be 100% correct. So let's find out how they managed to fool Windows into thinking the files are signed! [/irony]

No, none of the files is digitally signed! And they also didn't find a way to fool Windows (why Windows anyway? PeStudio detects it as signed!) into thinking so. I don't know what PeStudio is using as an indicator for detecting files as digitally signed, but the implementation is obviously buggy.

Why do you blindly trust in any tools when the opposite is obviously right (as you saw yourself)? ;)

Re: Uroburos rootkit

Posted: Sun Mar 02, 2014 9:59 am
Are you sure to use updated release ?

Re: Uroburos rootkit

Posted: Mon Mar 03, 2014 2:58 am
by t4L
I guess you're understanding incorrectly PeStudio. IMHO, the file has the characteristic when the star on the left of lights up. In this case, the file isn't signed since that star is blurred.

PeStudio GUI design is bad, but not that hard to recognize.

Re: Uroburos rootkit

Posted: Mon Mar 03, 2014 5:44 am
by CloneRanger
@ R136a1

Well i don't pretend to be an expert. I just thought that there "might" be something worth exploring further. Anyway, see below.


Yes it was an earlier version i was using.

@ t4L

You're right, i mistakenly glossed over that. Ah well, live n learn ! Actally i think is a useful addition to our Tools etc box ;)



Re: Uroburos rootkit

Posted: Mon Mar 03, 2014 5:29 pm
by frank_boldewin
Yesterday i wrote on facebook that the Uroboros malware reminds me on a similar case back in 2008. Now i'm pretty sure. When the dropper executes first it checks if it runs on a 32bit or 64bit system to select what driver to drop later. It creates a directory $NtUninstallQ817473 inside the windows directory and drops an encrypted driver called fdisk.sys. Then a 400MB file is created called fixdata.dat. This is an encrypted filesystem storing usermode files of the malware, which are being injected in services.exe and explorer.exe
Further it is used to store stolen documents e.g. word, excel, powerpoint. The driver fdisk.sys manages the fixdata.dat filesystem and the network communication. The driver avoids to use hiding itself or using defense tactics. Symantec analysed an older version of this malware in November 2009 and called it Backdoor.Pfinet. Of course i haven't made a deep dive inside the malware in that short period of time i looked at it, so there will be still a lot of things to explore. ;)

Someone has seen a deep analysis already?