Gameover Borrows Kernel-Mode Rootkit from Necurs Malware

Security researchers from Sophos have analyzed the new version

By on February 28th, 2014 10:07 GMT

Security researchers warn that a new version of Gameover, the peer-to-peer (P2P) version of the notorious ZeuS Trojan, is making the rounds. In addition to configuring their creation to target Salesforce.com customers, the malware developers have also introduced a kernel-mode rootkit.

According to experts from Sophos, the rootkit code has been taken from Necurs, another well-known malware family.

ZeuS, or Zbot, is mainly designed to steal sensitive information from infected computers. A user-mode rootkit was previously integrated into the Trojan to make it more difficult to remove, but the feature was dropped because it wasn’t very effective.

Now, with the kernel-mode rootkit, the malware files are more difficult to remove both from the disk and from memory.

This new variant is delivered via spam runs. Emails purporting to represent invoices are being sent out by cybercriminals. The file attached to the emails is a version of the Upatre malware downloader.

When it’s executed, Upatre downloads an obfuscated copy of Gameover onto infected computers. The downloader is also responsible for unscrambling and launching the information-stealer.

“When it launches, Gameover installs into your Application Data directory, tagging itself with a short block of system-specific binary data,” explained James Wyke, a senior threat researcher with SophosLabs UK.

“This ‘tagging’ serves two purposes: the installed copy is tied to your computer, so it won't run anywhere else if it is taken away for analysis; and your copy of the malware is unique, so that simple checksum-based file matching can't be used to detect it,” he added.

The new Gameover variant drops and installs the Necurs rootkit as a kernel driver. If it doesn’t have administrator rights and the system is 32-bit, the threat attempts to exploit an old Windows kernel vulnerability to elevate its privileges.

If this particular bug is patched, the UAC prompt is displayed when the rootkit is loaded. This might make some users suspicious, considering that the file they were supposedly opening should have been a document.

The rootkit’s role is to protect the malware. It prevents users from killing the malware process.

Based on this evidence, experts believe that the Gameover and Necurs cybercrime groups could have teamed up. Another explanation is that the developers of Gameover might have somehow obtained the Necurs source code.

“Whatever the reason, the addition of the Necurs rootkit to an already-dangerous piece of malware is an unwelcome development,” Wyke warns.

Additional technical details on Gameover attacks are available on Sophos’ blog.

Comments