RSU 3 phone server infected by malware with possible Russian roots

FBI monitoring malware to understand how it works
By Ben Holbrook | May 23, 2014
Source: File Image

The phone servers in Regional School Unit 3 have been infected with a little-known malware virus that may have Russian roots.

Officials say there is no reason to be concerned about data being stolen or compromised due to the fact the servers are virtual in nature and not connected to other parts of the district's systems that have access to potentially confidential or sensitive information.

Heather Perry, RSU 3 superintendent, said she was made aware of the malware, which is known as Uroburos and is believed to have ties to Russia, after being visited by an agent with the FBI. At the time, Perry said the agent informed her the malware, which was located on the district's virtual phone server, was not negatively impacting any of the district's operations.

Perry said the FBI is safely monitoring the malware to better understand how it works and what it is doing.

How the malware infected the district's phone server is unknown, Perry said.

According to German security firm G Data, which published an analysis of Uroburos, the espionage software is a rootkit composed of two files — a driver and an encrypted virtual file system. The malware is able to take control of an infected machine, execute commands remotely and hide activities on the system, according to G Data.

“Uroburos' driver part is extremely complex and is designed to be very discrete and very difficult to identify,” G Data wrote in an analysis.

G Data continues by stating that due to the complexity of the malware, it most likely required a “huge investment” in order to develop and the work was done by highly skilled computer experts.

Based on information gathered by G Data, Uroburos was created to target high profile enterprises, nation states, intelligence agencies and similar targets. The security firm also indicated that due to numerous technical details, such as file names, encryption keys, behavior and other factors, the malware may be linked to a 2008 cyberattack against the United States using malware known as Agent.BTZ.

According to G Data, Uroburos checks for the presence of Agent.BTZ and will remain inactive if the malware is already installed. Also, the creators of Uroburos appear to speak Russian, G Data states.

G Data also indicates the malware went undiscovered for at least three years, as one of the oldest drivers the security firm identified was in 2011.

How the malware infects systems is still unknown, G Data writes, but could occur through spear phishing, drive-by-infections, USB sticks or social media engineering attacks.

“This kind of data stealing software is too expensive to be used as common spyware. We assume that the attackers reserve the Uroburos framework for dedicated and critical targets. This is the main reason why the rootkit was only detected many years after the suspected first infection,” G Data writes. “Furthermore, we assume that the framework is designed to perform cyber espionage within governments and high profile enterprises but, due to its modularity, it can be easily extended to gain new features and perform further attacks as long as it remains undetected within its target.”

Perry said RSU 3 officials are cooperating with the FBI and reiterated that there is no threat of district data being taken or used inappropriately whatsoever.

 

Comments (0)
If you wish to comment, please login.

Staff Profile

Ben Holbrook
(207) 338-3333
Email Me

Ben Holbrook is a reporter for The Republican Journal covering general news.

Recent Stories by Ben Holbrook