Zeus Trojan Gets Persistent with New Rootkit

Photo credit: abxyz/Shutterstock.com
Photo credit: abxyz/Shutterstock.com

Researchers say that the most widespread Zeus derivative is the Gameover bot, also known as Zeus P2P because of its use of peer-to-peer network connectivity for command and control. And, the “Gameover gang” has been trying some new approaches of late, in particular via a kernel-mode rootkit.

Zeus has been the most successful financial malware to date, built to steal information like online banking log-in details. According to researchers at Sophos, the code for the new rootkit version comes from another notorious malware family known as Necurs. It has been added to protect the malware files on disk and in memory, making it harder to find and remove once the malware is active.

“Early Zbot versions employed a user-mode rootkit that would hide the Zbot directory and registry entries from user-land tools,” noted James Wyke, Sophos researcher, in a blog. “However, by Version 2 of the malware, this rootkit had been dropped as it was largely ineffective. Instead, Zbot began to inject its code into system processes and browsers, hooking important software functions in order to snoop on the data passing through the system.”

This particular strain of Gameover is taking a fresh approach.

As usual, it’s being delivered through spam messages containing a downloader malware known as Upatre. that downloader in turn is attached as a Windows executable inside a ZIP file (the sample that Sophos looked at was a fake French-language invoice). When the user clicks on the file and launches it, it downloads an obfuscated and compressed copy of the Gameover malware, which is then “unscrambled” and installed in the Application Data directory, tagging itself with a short block of system-specific binary data.

“This ‘tagging’ serves two purposes: the installed copy is tied to your computer, so it won't run anywhere else if it is taken away for analysis; and your copy of the malware is unique, so that simple checksum-based file matching can't be used to detect it,” explained Wyke.

Normally, Gameover then injects itself into other processes and exits – but instead, the new variant drops and installs the Necurs rootkit, which is implemented as a kernel driver.

“Once active, the rootkit protects the Gameover malware so that you can't delete it,” said Wyke. “It also stops you killing off the Gameover process.”

He added, “The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet.”

Obviously, the addition of the Necurs rootkit to an already-dangerous piece of malware is an “unwelcome development,” as Sophos noted. It’s unclear whether the two malware groups are collaborating actively, or whether Gameover-user criminals somehow acquired the Necurs source code.

As always, users should be very wary of clicking on any unsolicited email attachment.

What’s Hot on Infosecurity Magazine?