SophosLabs: Gameover banking malware now has a rootkit for better concealment

CorporateSophosLabsBotnetsmalwareNaked SecurityRootkits

gameover-170A variant of the Gameover banking malware has a newly-discovered rootkit element that works to conceal and protect the malware files on disk and in memory, making it harder to find and remove once the malware is active, according to new research from SophosLabs.

Rootkits are a type of malware designed to gain administrator privileges on infected computers, allowing attackers to modify processes that would otherwise clean up the malware. In Gameover’s case, the addition of code from a crafty rootkit called Necurs means it just became a whole lot harder to fend off. And that means the Gameover gang will have an easier time stealing data from its victims.

Zbot — Gameover’s parent

Gameover’s code is based on leaked source code from Zeus/Zbot — which is why Gameover is also known as Zeus P2P because of its use of peer-to-peer network connectivity for command and control. Early versions of Gameover employed a user-mode rootkit, but this rootkit was dropped in a newer version because it was largely ineffective. Now, the newest Gameover variant comes with code from the Necurs rootkit.

“The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet,” according to James Wyke, the study author and senior threat researcher at SophosLabs.

It’s not quite clear if the Gameover and Necurs gangs are joining forces, or if the Necurs source code was acquired by the Gameover crooks. But whatever the reason, it’s an unwelcome development, James writes at Naked Security.

Gameover technical analysis

SophosLabs recently saw Gameover spreading via spam package-delivery emails with a malicious downloader attached called Upatre. This malware infects PCs through an aging vulnerability and launches Gameover.

Normally, Gameover then injects itself into other processes and exits. This is where the new variant drops and installs the Necurs rootkit, which is implemented as a kernel driver.

“Once active, the rootkit protects the Gameover malware so that you can’t delete it,” James writes.

To learn more about this new development in Gameover, check out James’s detailed analysis at Naked Security. You can also listen to the podcast below for a better understanding of botnets like Zeus/Zbot, and how they work to propagate malware.

Note: Sophos protects our customers from the various components of this malware under the following names:

  • HPmal/Zbot-C
  • Troj/ZbotMem-B
  • Troj/NecKMem-A
  • Mal/DrodZp-A
  • Troj/Zbot-HTQ
  • Troj/Zbot-HTS
  • Troj/Necurs-BD

Free Rootkit Removal Tool

Sophos Virus Removal Tool cleans up viruses, malware and rootkits on your PC. You can get the free download of our Virus Removal Tool here. Check out our other home-user free tools to get your computers clean and protected.

Podcast: Understanding Botnets


I apparently have Rootkit malware called Ramnit!rootkit detected on 2015-10-13 on an old Windows XP Pro computer (used as a home computer) and frankly I don’t know how to remove it. Does the Sophos Virus Removal Tool deal effectively with this particular rootkit?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.