Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Gameover Trojan Uses Rootkit to Block Removal

The Gameover Trojan has added a new level to its malicious activity.

The Gameover Trojan has added a new level to its malicious activity.

According to research from Sophos, a new variant of the malware has been armed with a kernel-level rootkit that stops users from killing the Gameover process and makes it difficult to remove the Trojan. Known as Necurs, the rootkit has been added to protect the malware files on disk and in memory.

“Necurs is a nasty rootkit,” said James Wyke, senior threat researcher at Sophos. “There will be many security solutions that were able to remove Gameover without the rootkit but no longer can. This makes Gameover more difficult to remove and detect and therefore likely to persist on an infected machine for longer. As a result, more data will be stolen from the victim. There is more danger in a threat that stays on a victim’s machine for a month, say, all the while silently stealing credentials every time the victim logs in to a website, than a threat that gets detected and removed in a day.”

Gameover first appeared after the source code for the Zeus malware was leaked on the Internet. Recently, researchers at Dell SecureWorks dubbed the malware the most prevalent banking Trojan of 2013, noting that it accounted for 38 percent of the company’s detections of financial malware.

This particular variant appears to be spreading via a spam campaign using fake invoices. The attachments don’t actually contain the malware; instead the attachments contain a downloader known as Upatre. If the recipient launches the file, it downloads an unstructured set of data that has a compressed copy of Gameover, which is then unscrambled and launched by the downloader. Once launched, Gameover gets installed in the user’s Application Data directory and tags itself with a short block of system-specific binary data.

According to Sophos, the tagging serves two purposes – to prevent the copy from running anywhere else if it taken away for analysis, and to make it unique so that checksum-based file matching can’t be used to detect it.

Normally, this would be when the Trojan injects itself into other processes and exits; instead, this is where the new version installs the rootkit. If the user’s system is 32-bit and they do not have administrator rights, the malware attempts to exploit CVE-2010-4398 to escalate privileges so that it can load the driver. If that vulnerability is patched on the system, the loading of the rootkit will trigger a User Account Control alert.

Advertisement. Scroll to continue reading.

Meanwhile, the 64-bit driver is digitally signed with a bogus certificate, and the malware will try to reconfigure the system so that it accepts unverified drivers.

Interestingly, this is not the first time a Zeus variant has been seen using a rootkit. In fact, early versions used a user-mode rootkit to hide the Trojan’s directory and registry entries, according to Sophos. However, this was dropped in latter versions and was viewed as largely ineffective.

Noting that the rootkit comes from another malware family, Wyke speculated that there could be a level of collusion between different attacker groups.

“One major benefit of using a rootkit from another family is that the code comes pre-built and pre-tested,” Wyke said. “They don’t have to spend time and effort developing the driver themselves and they know it works already as it’s been used in the field for quite some time. Necurs has been used as a protection mechanism for FakeAV in the past but this is the first time we’ve seen other malware families using it.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...