There's a commented sample already detected by 6(+1) scanners at virustotal with the exact same hashes and file size as the one mentioned in their red paper.
Detecting a signature file is not the same as analyzing its code in a deeper manner, signature detection and actual research and understanding of a thread is different.
http://www.infosecurity-magazine.com/view/37206/is-uroburos-the-first-known-russian-cyberweapon/ Kudos to the people at G Data
Urobos bypasses PatchGuard through bypassing the Driver Signing Policy. They install a signed, legitimate VirtualBox driver and exploit it to let Windows believe it's in Test mode so they can load their own driver. http://blog.gdatasoftware.com/blog/...travel-into-kernel-protection-mitigation.html
Only G-Data could rely on a bunch of forum posts because they can't do their own RE, no matter how qualified the forumites in question are. I can't imagine, say, F-Secure or Kaspersky needing it. And if it you can't detect something, that means your research just isn't good enough for you to be able to, because the point of malware research is to prevent, detect or at the very least helping others detect malware.
Basically this proves that PatchGuard is not good enough. We need hypervisor based security, very disappointing that a billion dollar company who invests lots of money in R&D still hasn´t developed this. It should be added to Windows ASAP. http://www.mcafee.com/us/solutions/mcafee-deepsafe.aspx http://northsecuritylabs.blogspot.n...pdated-max=2012-01-01T00:00:00Z&max-results=4 http://www.google.nl/url?q=http://w...0QFjAD&usg=AFQjCNH8A7ZQJIq9bLr9MbStLgMp_PZlrA
http://blog.crysys.hu/2014/08/the-e...on-command-and-control-server-infrastructure/ http://news.softpedia.com/news/Roma...d-in-Turla-Watering-Hole-Attacks-454175.shtml
So, nominally first discovered by a private German AV company, and out there for 2+ years. And either not discovered or not communicated by our cyber-defence organisations.
