{ "id": "73e08c23-5e28-435b-93d2-3f8f31c50385", "created_at": "2026-04-06T00:18:48.775252Z", "updated_at": "2026-04-10T03:33:01.482569Z", "deleted_at": null, "sha1_hash": "b91020137054f555dc2d725d7a4ddcac1886ebd2", "title": "Uroburos – Deeper travel into kernel protection mitigation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43535, "plain_text": "Uroburos – Deeper travel into kernel protection mitigation\r\nBy MN\r\nPublished: 2017-05-11 · Archived: 2026-04-05 14:34:45 UTC\r\nFirst of all, we would like to send regards and thanks to the people being active on the kernelmode.info forum , in\r\nparticular, R136a1 and EP_X0FF. They provided a proficient analysis of the Driver Signature Enforcement bypass\r\nwhich enriches the overall understanding of the case.\r\nIntroduction\r\nThe following analysis article is closely linked to G DATA’s Red Paper about Uroburos, published on Friday,\r\nFebruary 28th. The paper can be downloaded here: https://secure.gd/dl-en-rp-Uroburos \r\nFor fellow researchers, we provide the hash of the sample used for this subsequent article:\r\nSHA256: 33460a8f849550267910b7893f0867afe55a5a24452d538f796d9674e629acc4\r\nThis file is a 64-bit driver, compiled in 2011.\r\nKernel Patch Protection\r\nDefinition\r\nThe majority of rootkits mainly use kernel modification or kernel patching to hide their activities and modify the\r\nbehavior of the infected system. To protect the Windows operating system, Microsoft added a new technology to\r\nits 64-bit Windows editions. The Kernel Patch Protection technology (aka PatchGuard) checks the integrity of the\r\nWindows kernel to make sure that no critical parts are modified. In case a harmful modification of the kernel is\r\ndetected, the KeBugCheckEx() function is executed, called with an argument with the value 0x109\r\n(CRITICAL_STRUCTURE_CORRUPTION) as bug code. The result is a shutdown of the system with a blue\r\nscreen.\r\nMicrosoft describes that the Kernel Patch Protection technology prevents the following modifications:\r\n•    modify system services tables, for example, by hooking the KeServiceDescriptor table\r\n•    modify the Interrupt Descriptor Table (IDT)\r\n•    modify the Global Descriptor Table (GDT)\r\n•    use kernel stacks that are not allocated by the kernel\r\n•    patch any part of the kernel\r\nUroburos mitigation\r\nUroburos’ developers used the same inline hooks, explained in our previous Red Paper, to bypass Kernel Patch\r\nProtection. The attacker’s goal is to hook the KeBugCheckEx() function to avoid handling the bug code 0x109.\r\nThe screenshot below shows the code snippet in which the address of KeBugCheckEx() is stored in qword_787D8\r\nhttps://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation\r\nPage 1 of 3\n\nIn case you wish to get more information concerning the technique used by the developers, we suggest the\r\nfollowing link: http://www.codeproject.com/Articles/28318/Bypassing-PatchGuard\r\nDriver Signature Enforcement\r\nDefinition\r\nRootkits are usually drivers which used to work in kernel space. To avoid this kind of malware, Microsoft created\r\na Driver Signing Policy for its 64-bit versions of Windows Vista and later versions.  To load a driver, the .sys file\r\nmust be signed by a legitimate publisher.\r\nDevelopers may disable the Driver Signature Enforcement process during the development phase of a driver,\r\nwhich means a developer does not have to sign each compiled driver version during development phase. In this\r\ncase, the desktop of the machine is changed and the following message appears in the bottom right corner: “Test\r\nMode”. The flag with which the current status of the policy is stored is called g_CiEnabled. The value of\r\ng_CiEnabled is set during the Windows boot phase, and considered “static\" during runtime. This means, Windows\r\nassumes the value is set correctly and does not change during runtime.\r\nUroburos mitigation\r\nUroburos’ developers used new techniques to disable the Driver Signature Enforcement. In our case, they used a\r\nvulnerability in a legitimately signed driver to disable the policy! During the installation of Uroburos, the Oracle\r\nVirtualBox driver (version 1.6.2) is installed on the targeted system. This driver (VBoxDrv.sys) is signed:\r\nUroburos’ developers used new techniques to disable the Driver Signature Enforcement. In our case, they used a\r\nvulnerability in a legitimately signed driver to disable the policy! During the installation of Uroburos, the Oracle\r\nVirtualBox driver (version 1.6.2) is installed on the targeted system. This driver (VBoxDrv.sys) is signed:\r\nConclusion\r\nPreviously, we have claimed that Uroburos is a highly complex and very sophisticated malware, programmed by\r\nskilled people. This assumption is corroborated once more by the aforementioned analysis of Uroburos’\r\ninstallation technique.\r\nThe developers had to deal with Microsoft Windows security enforcement. They had to find ways to bypass the\r\nKernel Patch Protection technology and also the Driver Signature Enforcement. The technique used to bypass the\r\nKernel Patch Protection has been documented on the Internet and therefore is not absolutely new.\r\nBut, concerning the Driver Signature Enforcement, this is the first time that we see a malware using a\r\nvulnerability in a legitimately signed driver to disable the policy!\r\nThis example shows the limitation of the signature process. Generally, the signature expiration date is set to\r\nhappen several years after its creation date. In case any vulnerability is found, a patch is provided, but the old\r\nbinary is still available and valid, except in case the certificate is revoked by the author/signer and set onto the\r\nCRL, the certificate revocation list.\r\nhttps://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation\r\nPage 2 of 3\n\nBut, revoking a signature is only the first step in the protection process, because each and every system that needs\r\nto check a signature needs to have access to an up to date CRL.\r\nAnd even in case the system has an updated CRL, the Uroburos authors are certainly thought to be skilled enough\r\nto manipulate the verification process the operation system is using without alerting the user.\r\nSo, it is the first time that we see those two techniques to bypass Windows’ protection mechanisms in the wild. We\r\nexpect that they will be used by more malware in the future, of course.\r\nIn case someone from the audience notices an infection caused by the Uroburos rootkit and needs help, would like\r\nto receive further technical information or would like to contribute any information about this case, please feel\r\nfree to contact us by email using the following mailbox: intelligence@remove-this.gdata.de\r\n-------------------------\r\nG Data's Uroburos analysis red paper:\r\nhttps://secure.gd/dl-en-rp-Uroburos\r\nSource: https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation\r\nhttps://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation" ], "report_names": [ "23966-uroburos-deeper-travel-into-kernel-protection-mitigation" ], "threat_actors": [ { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434728, "ts_updated_at": 1775791981, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b91020137054f555dc2d725d7a4ddcac1886ebd2.pdf", "text": "https://archive.orkl.eu/b91020137054f555dc2d725d7a4ddcac1886ebd2.txt", "img": "https://archive.orkl.eu/b91020137054f555dc2d725d7a4ddcac1886ebd2.jpg" } }