Gameover malware tougher to kill with new rootkit component

The rootkit works on 32-bit and 64-bit Windows versions and protects the malware's components from being deleted

A new variant of the Gameover malware that steals online banking credentials comes with a kernel-level rootkit that makes it significantly harder to remove, according to security researchers from Sophos.

Gameover is a computer Trojan based on the infamous Zeus banking malware whose source code was leaked on the Internet in 2011. Gameover stands apart from other Zeus-based Trojan programs because it uses peer-to-peer technology for command and control instead of traditional servers, making it more resilient to takedown attempts.

At the beginning of February, researchers from security firm Malcovery Security, reported that a new variant of Gameover was being distributed as an encrypted .enc file in order to bypass network-level defenses. However, the latest trick from the Gameover authors involves using a kernel rootkit called Necurs to protect the malware's process from being terminated and its files from being deleted, researchers from Sophos said Thursday in a blog post.

The latest Gameover variant is being distributed through spam emails purporting to come from HSBC France with fake invoices in .zip attachments. These attachments don't contain the Gameover Trojan program itself, but a malicious downloader program called Upatre which, if run, downloads and installs the banking malware.

If this first stage of the infection is successful, the new Gameover variant attempts to install the Necurs rootkit which operates as a 32-bit or 64-bit driver depending on the Windows version used by the victim. The malware tries to exploit a Windows privilege escalation vulnerability patched by Microsoft in 2010 in order to install the Necurs driver with administrator privileges.

If the system is patched and the exploit fails, the malware triggers a User Account Control (UAC) prompt to ask the victim for administrator access. The UAC prompt should look suspicious considering the user opened what he believed to be an invoice, the Sophos researchers said.

However, if the user confirms the execution anyway or the exploit is successful in the first place, the rogue driver starts protecting the Gameover components.

"The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet," the Sophos researchers said.

It's not clear why the Gameover authors began using a rootkit developed by someone else.

"Perhaps the the two groups are joining forces, or perhaps the Necurs source code has been acquired by the Gameover gang," the Sophos researchers said. "Whatever the reason, the addition of the Necurs rootkit to an already-dangerous piece of malware is an unwelcome development."

Zeus and its spin-offs continue to be very popular with cybercriminals. According to a recent report from Dell SecureWorks, Zeus variants accounted for almost half of all banking malware seen in 2013.

In addition to stealing online banking credentials and financial information, cybercriminals are increasingly using such malware to collect other types of data. Security firm Adallom recently found a Zeus variant designed to steal Saleforce.com credentials and scrape business data from the compromised accounts.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies