Gameover malware is tougher to kill with new rootkit component
The rootkit works on 32-bit and 64-bit Windows versions and protects the malware's components from being deleted
IDG News Service - A new variant of the Gameover malware that steals online banking credentials comes with a kernel-level rootkit that makes it significantly harder to remove, according to security researchers from Sophos.
Gameover is a computer Trojan based on the infamous Zeus banking malware whose source code was leaked on the Internet in 2011. Gameover stands apart from other Zeus-based Trojan programs because it uses peer-to-peer technology for command and control instead of traditional servers, making it more resilient to takedown attempts.
At the beginning of February, researchers from security firm Malcovery Security, reported that a new variant of Gameover was being distributed as an encrypted .enc file in order to bypass network-level defenses. However, the latest trick from the Gameover authors involves using a kernel rootkit called Necurs to protect the malware's process from being terminated and its files from being deleted, researchers from Sophos said Thursday in a blog post.
The latest Gameover variant is being distributed through spam emails purporting to come from HSBC France with fake invoices in .zip attachments. These attachments don't contain the Gameover Trojan program itself, but a malicious downloader program called Upatre which, if run, downloads and installs the banking malware.
If this first stage of the infection is successful, the new Gameover variant attempts to install the Necurs rootkit which operates as a 32-bit or 64-bit driver depending on the Windows version used by the victim. The malware tries to exploit a Windows privilege escalation vulnerability patched by Microsoft in 2010 in order to install the Necurs driver with administrator privileges.
If the system is patched and the exploit fails, the malware triggers a User Account Control (UAC) prompt to ask the victim for administrator access. The UAC prompt should look suspicious considering the user opened what he believed to be an invoice, the Sophos researchers said.
However, if the user confirms the execution anyway or the exploit is successful in the first place, the rogue driver starts protecting the Gameover components.
"The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet," the Sophos researchers said.
It's not clear why the Gameover authors began using a rootkit developed by someone else.
"Perhaps the the two groups are joining forces, or perhaps the Necurs source code has been acquired by the Gameover gang," the Sophos researchers said. "Whatever the reason, the addition of the Necurs rootkit to an already-dangerous piece of malware is an unwelcome development."
Zeus and its spin-offs continue to be very popular with cybercriminals. According to a recent report from Dell SecureWorks, Zeus variants accounted for almost half of all banking malware seen in 2013.
In addition to stealing online banking credentials and financial information, cybercriminals are increasingly using such malware to collect other types of data. Security firm Adallom recently found a Zeus variant designed to steal Saleforce.com credentials and scrape business data from the compromised accounts.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts