The Gameover Trojan has added a new level to its malicious activity.
According to research from Sophos, a new variant of the malware has been armed with a kernel-level rootkit that stops users from killing the Gameover process and makes it difficult to remove the Trojan. Known as Necurs, the rootkit has been added to protect the malware files on disk and in memory.
“Necurs is a nasty rootkit,” said James Wyke, senior threat researcher at Sophos. “There will be many security solutions that were able to remove Gameover without the rootkit but no longer can. This makes Gameover more difficult to remove and detect and therefore likely to persist on an infected machine for longer. As a result, more data will be stolen from the victim. There is more danger in a threat that stays on a victim’s machine for a month, say, all the while silently stealing credentials every time the victim logs in to a website, than a threat that gets detected and removed in a day.”
Gameover first appeared after the source code for the Zeus malware was leaked on the Internet. Recently, researchers at Dell SecureWorks dubbed the malware the most prevalent banking Trojan of 2013, noting that it accounted for 38 percent of the company’s detections of financial malware.
This particular variant appears to be spreading via a spam campaign using fake invoices. The attachments don’t actually contain the malware; instead the attachments contain a downloader known as Upatre. If the recipient launches the file, it downloads an unstructured set of data that has a compressed copy of Gameover, which is then unscrambled and launched by the downloader. Once launched, Gameover gets installed in the user’s Application Data directory and tags itself with a short block of system-specific binary data.
According to Sophos, the tagging serves two purposes – to prevent the copy from running anywhere else if it taken away for analysis, and to make it unique so that checksum-based file matching can’t be used to detect it.
Normally, this would be when the Trojan injects itself into other processes and exits; instead, this is where the new version installs the rootkit. If the user’s system is 32-bit and they do not have administrator rights, the malware attempts to exploit CVE-2010-4398 to escalate privileges so that it can load the driver. If that vulnerability is patched on the system, the loading of the rootkit will trigger a User Account Control alert.
Meanwhile, the 64-bit driver is digitally signed with a bogus certificate, and the malware will try to reconfigure the system so that it accepts unverified drivers.
Interestingly, this is not the first time a Zeus variant has been seen using a rootkit. In fact, early versions used a user-mode rootkit to hide the Trojan’s directory and registry entries, according to Sophos. However, this was dropped in latter versions and was viewed as largely ineffective.
Noting that the rootkit comes from another malware family, Wyke speculated that there could be a level of collusion between different attacker groups.
“One major benefit of using a rootkit from another family is that the code comes pre-built and pre-tested,” Wyke said. “They don’t have to spend time and effort developing the driver themselves and they know it works already as it’s been used in the field for quite some time. Necurs has been used as a protection mechanism for FakeAV in the past but this is the first time we’ve seen other malware families using it.”