A variant of the Gameover banking malware has a newly-discovered rootkit element that works to conceal and protect the malware files on disk and in memory, making it harder to find and remove once the malware is active, according to new research from SophosLabs.
Rootkits are a type of malware designed to gain administrator privileges on infected computers, allowing attackers to modify processes that would otherwise clean up the malware. In Gameover’s case, the addition of code from a crafty rootkit called Necurs means it just became a whole lot harder to fend off. And that means the Gameover gang will have an easier time stealing data from its victims.
Zbot — Gameover’s parent
Gameover’s code is based on leaked source code from Zeus/Zbot — which is why Gameover is also known as Zeus P2P because of its use of peer-to-peer network connectivity for command and control. Early versions of Gameover employed a user-mode rootkit, but this rootkit was dropped in a newer version because it was largely ineffective. Now, the newest Gameover variant comes with code from the Necurs rootkit.
“The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet,” according to James Wyke, the study author and senior threat researcher at SophosLabs.
It’s not quite clear if the Gameover and Necurs gangs are joining forces, or if the Necurs source code was acquired by the Gameover crooks. But whatever the reason, it’s an unwelcome development, James writes at Naked Security.
Gameover technical analysis
SophosLabs recently saw Gameover spreading via spam package-delivery emails with a malicious downloader attached called Upatre. This malware infects PCs through an aging vulnerability and launches Gameover.
Normally, Gameover then injects itself into other processes and exits. This is where the new variant drops and installs the Necurs rootkit, which is implemented as a kernel driver.
“Once active, the rootkit protects the Gameover malware so that you can’t delete it,” James writes.
To learn more about this new development in Gameover, check out James’s detailed analysis at Naked Security. You can also listen to the podcast below for a better understanding of botnets like Zeus/Zbot, and how they work to propagate malware.
Note: Sophos protects our customers from the various components of this malware under the following names:
- HPmal/Zbot-C
- Troj/ZbotMem-B
- Troj/NecKMem-A
- Mal/DrodZp-A
- Troj/Zbot-HTQ
- Troj/Zbot-HTS
- Troj/Necurs-BD
Free Rootkit Removal Tool
Sophos Virus Removal Tool cleans up viruses, malware and rootkits on your PC. You can get the free download of our Virus Removal Tool here. Check out our other home-user free tools to get your computers clean and protected.
Podcast: Understanding Botnets
Sophos in the news: Gameover malware gets harder to kill; will Windows XP live on after death? | Sophos Blog
[…] these same lines, our superb researchers at SophosLabs discovered recently a new variant of the Gameover banking Trojan that borrows code from a rootkit in order to stay hidden, making it much harder to kill. And when […]
SophosLabs: Techniques from APTs showing up in money-making Zbot/Zeus malware | Sophos Blog
[…] a widespread malware family that is designed primarily to steal banking data, including usernames, passwords and the one-time access codes used in two-factor authentication. […]
Sophos in the news: UTM Accelerated 9.2, APTs, and the NSA’s blurred lines | Sophos Blog
[…] for espionage and surveillance. But Zbot, which is designed to steal financial data including banking credentials, is now using document-based attacks to spread itself to more victims, in order to make more money […]
Here’s how you can help stop Gameover/Zeus and Cryptolocker | Sophos Blog
[…] of the malware kit known as Zeus — for quite a while. SophosLabs recently identified a rootkit element to the Gameover code which made Gameover harder to detect and […]
Sophos news in review: Sysmas prizes, Gameover do-over, and warbiking down under | Sophos Blog
[…] research shows that Gameover is back, with a new variant that leaves out some of the more advanced features that made it such a success for the bad […]
SophosLabs research spotlights rising threat of Vawtrak financial malware | Sophos Blog
[…] has followed the success of previous financial bot malware like Zeus and Gameover to become one of the most popular crime kits around. Vawtrak’s owners are operating a highly […]
Net Universe ǀ Connecting Solutions – SophosLabs research spotlights rising threat of Vawtrak financial malware
[…] has followed the success of previous financial bot malware like Zeus and Gameover to become one of the most popular crime kits around. Vawtrak’s owners are operating a highly […]
SophosLabs research uncovers new developments in PlugX APT malware | Sophos Blog
[…] a widespread malware family that is designed primarily to steal banking data, including usernames, passwords and the one-time access codes used in two-factor authentication. […]
Gerald Popkey
I apparently have Rootkit malware called Ramnit!rootkit detected on 2015-10-13 on an old Windows XP Pro computer (used as a home computer) and frankly I don’t know how to remove it. Does the Sophos Virus Removal Tool deal effectively with this particular rootkit?
Anna Brading
Hi, we’ve had protection against Ramnit variants for quite some time so you should find the Virus Removal Tool helps fix this for you. If for any reason it doesn’t, please send us a sample by following the instructions here: http://community.sophos.com/kb/en-us/11490
If you have any other questions, please feel free to ask them on our community: http://community.sophos.com/
Thanks.