Skip to content

SophosLabs: Gameover banking malware now has a rootkit for better concealment

gameover-170A variant of the Gameover banking malware has a newly-discovered rootkit element that works to conceal and protect the malware files on disk and in memory, making it harder to find and remove once the malware is active, according to new research from SophosLabs.

Rootkits are a type of malware designed to gain administrator privileges on infected computers, allowing attackers to modify processes that would otherwise clean up the malware. In Gameover’s case, the addition of code from a crafty rootkit called Necurs means it just became a whole lot harder to fend off. And that means the Gameover gang will have an easier time stealing data from its victims.

Zbot — Gameover’s parent

Gameover’s code is based on leaked source code from Zeus/Zbot — which is why Gameover is also known as Zeus P2P because of its use of peer-to-peer network connectivity for command and control. Early versions of Gameover employed a user-mode rootkit, but this rootkit was dropped in a newer version because it was largely ineffective. Now, the newest Gameover variant comes with code from the Necurs rootkit.

“The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet,” according to James Wyke, the study author and senior threat researcher at SophosLabs.

It’s not quite clear if the Gameover and Necurs gangs are joining forces, or if the Necurs source code was acquired by the Gameover crooks. But whatever the reason, it’s an unwelcome development, James writes at Naked Security.

Gameover technical analysis

SophosLabs recently saw Gameover spreading via spam package-delivery emails with a malicious downloader attached called Upatre. This malware infects PCs through an aging vulnerability and launches Gameover.

Normally, Gameover then injects itself into other processes and exits. This is where the new variant drops and installs the Necurs rootkit, which is implemented as a kernel driver.

“Once active, the rootkit protects the Gameover malware so that you can’t delete it,” James writes.

To learn more about this new development in Gameover, check out James’s detailed analysis at Naked Security. You can also listen to the podcast below for a better understanding of botnets like Zeus/Zbot, and how they work to propagate malware.

Note: Sophos protects our customers from the various components of this malware under the following names:

  • HPmal/Zbot-C
  • Troj/ZbotMem-B
  • Troj/NecKMem-A
  • Mal/DrodZp-A
  • Troj/Zbot-HTQ
  • Troj/Zbot-HTS
  • Troj/Necurs-BD

Free Rootkit Removal Tool

Sophos Virus Removal Tool cleans up viruses, malware and rootkits on your PC. You can get the free download of our Virus Removal Tool here. Check out our other home-user free tools to get your computers clean and protected.

Podcast: Understanding Botnets


I apparently have Rootkit malware called Ramnit!rootkit detected on 2015-10-13 on an old Windows XP Pro computer (used as a home computer) and frankly I don’t know how to remove it. Does the Sophos Virus Removal Tool deal effectively with this particular rootkit?


Hi, we’ve had protection against Ramnit variants for quite some time so you should find the Virus Removal Tool helps fix this for you. If for any reason it doesn’t, please send us a sample by following the instructions here:

If you have any other questions, please feel free to ask them on our community:



Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!