Gameover Zeus variant harder to kill
Posted by: Timothy Weaver on 03/01/2014 11:41 AM
[
Comments
]
According to security researchers from Sophos, the Gameover malware now comes with a rootkit that makes it harder to remove.
Researchers from Sophos said Thursday in a blog post that the latest trick from the Gameover authors involves using a kernel rootkit called Necurs to protect the malware’s process from being terminated and its files from being deleted.
This latest variant is being distributed via an email with an attachment that purports to be an invoice from HSBC France in a .zip file. The zip file does not contain the virus, but rather a downloader called Upatre which, if run, downloads and installs the banking malware.
If the download is successful, it tries to install the Necurs rootkit. Microsoft issued a patch in 2010 that could thwart the installation. If the rootkit can't install, it then prompts the UAC to ask for Administrator privileges. Users should be alarmed that an invoice is asking for those privileges!!
However, if the user confirms the execution anyway or the exploit is successful in the first place, the rogue driver starts protecting the Gameover components.
The Sophos researchers said: “The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet.”
“Perhaps the two groups are joining forces, or perhaps the Necurs source code has been acquired by the Gameover gang,” the Sophos researchers said. “Whatever the reason, the addition of the Necurs rootkit to an already-dangerous piece of malware is an unwelcome development.”
Zeus variants accounted for almost half of all banking malware seen in 2013.
Researchers from Sophos said Thursday in a blog post that the latest trick from the Gameover authors involves using a kernel rootkit called Necurs to protect the malware’s process from being terminated and its files from being deleted.
This latest variant is being distributed via an email with an attachment that purports to be an invoice from HSBC France in a .zip file. The zip file does not contain the virus, but rather a downloader called Upatre which, if run, downloads and installs the banking malware.
If the download is successful, it tries to install the Necurs rootkit. Microsoft issued a patch in 2010 that could thwart the installation. If the rootkit can't install, it then prompts the UAC to ask for Administrator privileges. Users should be alarmed that an invoice is asking for those privileges!!
However, if the user confirms the execution anyway or the exploit is successful in the first place, the rogue driver starts protecting the Gameover components.
The Sophos researchers said: “The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet.”
“Perhaps the two groups are joining forces, or perhaps the Necurs source code has been acquired by the Gameover gang,” the Sophos researchers said. “Whatever the reason, the addition of the Necurs rootkit to an already-dangerous piece of malware is an unwelcome development.”
Zeus variants accounted for almost half of all banking malware seen in 2013.
Comments
