Skip Navigation
BlackBerry Blog

Infinity vs. The Real World: Uroburos

NEWS / 03.07.14 / Brian Wallace

Uroburos is a rootkit that’s been around for years but has only recently caught the attention of the broader security community. The malware, as analyzed by G Data, is believed to have been developed by the Russian government for the purpose of state-sponsored cyber espionage. To quote the report by G Data, “The Uroburos rootkit is one of the most advanced rootkits we have ever analyzed.” Going undetected by everyone for over three years, leads us here at Cylance to ask “how would our mathematical ensembles stand up to it?”

The report mentions the hash for the driver used by the rootkit: 320F4E6EE421C1616BD058E73CFEA282. This file—originally submitted to public and private malware feeds on October 20th, 2011—remained undetected by every AV engine until February 28th, 2014.

Let’s see what happens when we run this same file through our latest ensemble generated on February 5th, 2014.


Infinity detects this driver as a threat with a 70% confidence rating.

The report explicitly identifies only one sample, but we can identify that it’s a member of the Turla rootkit group. Researchers here at Cylance have identified historical samples of Turla. Let’s see how well we detect these versions over the years.

For samples dating back to 2006, we detect all three samples as threats with 100% confidence.


For samples dating from 2009 and 2010, we detect all three as threats with confidence ranging from 81% to 100%.


For samples from 2013, we detect both as threats with 98% and 99% confidence.


Under the protection of CylancePROTECT and the CylanceV API, your organization can thwart these advanced threats before anyone else identifies them as such. Want to get plugged in to the power of PROTECT? Request a demo from a Cylance expert and stay one step ahead of the attackers.



- Brian Wallace
Researcher, Cylance, Inc.

Brian Wallace

About Brian Wallace

Lead Security Data Scientist at Cylance

Brian Wallace is a data scientist, security researcher, malware analyst, threat actor investigator, cryptography enthusiast and software engineer. Brian acted as the leader and primary investigator for a deep investigation into Iranian offensive cyber activities which resulted in the Operation Cleaver report, coauthored with Stuart McClure.

Brian also authors the A Study in Bots blog series which covers malware families in depth providing novel research which benefits a wide audience.