The Gameover ZeuS Trojan has been updated with functionality targeting bitcoin wallets.
Researchers with F-Secure spotted a variant of the malware that includes code to read and write to Bitcoin wallets. It also hooks into the process by which the wallet is encrypted, stealing the password and thwarting encryption.
This is just another twist for Gameover, which has emerged as one of the most treacherous pieces of financial malware on the Internet. Gameover first appeared on the Internet in 2011. Recently, researchers at Dell SecureWorks dubbed the malware the most prevalent banking Trojan of 2013, noting that it accounted for 38 percent of the company’s detections of financial malware.
According to research from Sophos, a recently detected variant of the malware used a kernel-level rootkit known as Necurs to protect malware files on disk and in memory and make it difficult to remove the Trojan. That particular variant was seen spreading via a spam campaign that used messages with fake invoices.
“Gameover is “privately” held by one gang – it’s a different fork from the ZeuS code which was open sourced years ago,” explained Sean Sullivan, security advisor at F-Secure.
“The sample we’ve analyzed is relatively new,” he said. “But the botnet nodes themselves may have already begun to update.”
“[ZeuS] isn’t always first to adopt a new tactic, but it is generally ‘best of breed’,” he added.
Certainly, bitcoin users and exchanges have been getting more attention from hackers lately. Earlier this month, bitcoin exchanges Poloniex and Flexcoin announced they had been hit by hackers. As a result of the attack, Flexcoin was forced to shut down. More malware targeting bitcoins has also been popping up, such as OSX/CoinThief.A, a Trojan targeting Mac users.
“I’m somewhat surprised at how long it’s taken to incorporate wallet.dat stealers into big players – but then I suppose that means that Bitcoin may now be a ‘real’ industry,” Sullivan said. “Not sure if that is a good thing for Bitcoin users in the long run.”
John Miller, security research manager at Trustwave, said that recent security events involving crypto-currencies serve as a reminder to users that criminals will hunt down financial assets regardless of their form.
“Individual users are at risk when they store their wallets insecurely or entrust their coins to third-party services,” he said. “Malware such as Pony can steal unencrypted wallets from unsuspecting users. Services can be scams intent on defrauding users or could suffer theft that results in financial loss to users. Safe browsing habits, anti-malware solutions, and gateway protection technologies can all help with the former, only proper consumer research can help with the latter.”
