Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Gameover Trojan Uses Rootkit to Block Removal

The Gameover Trojan has added a new level to its malicious activity.

The Gameover Trojan has added a new level to its malicious activity.

According to research from Sophos, a new variant of the malware has been armed with a kernel-level rootkit that stops users from killing the Gameover process and makes it difficult to remove the Trojan. Known as Necurs, the rootkit has been added to protect the malware files on disk and in memory.

“Necurs is a nasty rootkit,” said James Wyke, senior threat researcher at Sophos. “There will be many security solutions that were able to remove Gameover without the rootkit but no longer can. This makes Gameover more difficult to remove and detect and therefore likely to persist on an infected machine for longer. As a result, more data will be stolen from the victim. There is more danger in a threat that stays on a victim’s machine for a month, say, all the while silently stealing credentials every time the victim logs in to a website, than a threat that gets detected and removed in a day.”

Gameover first appeared after the source code for the Zeus malware was leaked on the Internet. Recently, researchers at Dell SecureWorks dubbed the malware the most prevalent banking Trojan of 2013, noting that it accounted for 38 percent of the company’s detections of financial malware.

This particular variant appears to be spreading via a spam campaign using fake invoices. The attachments don’t actually contain the malware; instead the attachments contain a downloader known as Upatre. If the recipient launches the file, it downloads an unstructured set of data that has a compressed copy of Gameover, which is then unscrambled and launched by the downloader. Once launched, Gameover gets installed in the user’s Application Data directory and tags itself with a short block of system-specific binary data.

According to Sophos, the tagging serves two purposes – to prevent the copy from running anywhere else if it taken away for analysis, and to make it unique so that checksum-based file matching can’t be used to detect it.

Normally, this would be when the Trojan injects itself into other processes and exits; instead, this is where the new version installs the rootkit. If the user’s system is 32-bit and they do not have administrator rights, the malware attempts to exploit CVE-2010-4398 to escalate privileges so that it can load the driver. If that vulnerability is patched on the system, the loading of the rootkit will trigger a User Account Control alert.

Meanwhile, the 64-bit driver is digitally signed with a bogus certificate, and the malware will try to reconfigure the system so that it accepts unverified drivers.

Advertisement. Scroll to continue reading.

Interestingly, this is not the first time a Zeus variant has been seen using a rootkit. In fact, early versions used a user-mode rootkit to hide the Trojan’s directory and registry entries, according to Sophos. However, this was dropped in latter versions and was viewed as largely ineffective.

Noting that the rootkit comes from another malware family, Wyke speculated that there could be a level of collusion between different attacker groups.

“One major benefit of using a rootkit from another family is that the code comes pre-built and pre-tested,” Wyke said. “They don’t have to spend time and effort developing the driver themselves and they know it works already as it’s been used in the field for quite some time. Necurs has been used as a protection mechanism for FakeAV in the past but this is the first time we’ve seen other malware families using it.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.