Zeus, also known as Zbot, is a malware family that we have written about many times on Naked Security.
We’ve covered it as plain old Zbot.
We’ve covered the Citadel variant, which appeared when the original Zbot code was leaked online.
We’ve even written about the time it pretended to be a Microsoft fix for CryptoLocker, a completely different strain of malware.
Currently, the most widespread Zbot derivative is the Gameover bot, also known as Zeus P2P because of its use of peer-to-peer network connectivity for command and control.
The Gameover gang has been trying new techniques recently: hot on the heels of code to target logged-in users of cloud-based CRM Salesforce.com comes the introduction of a kernel-mode rootkit.
The code for this rootkit comes from another notorious malware family known as Necurs.
A brief history of Zbot/Zeus
Malware in the Zbot family is built to steal information, primarily login credentials, and it is good at its job.
Early Zbot versions employed a user-mode rootkit that would hide the Zbot directory and registry entries from user-land tools.
However, by Version 2 of the malware, this rootkit had been dropped as it was largely ineffective.
Instead Zbot began to inject its code into system processes and browsers, hooking important software functions in order to snoop on the data passing through the system.
In the latest Gameover development, the Necurs rootkit has been added to protect the malware files on disk and in memory, making it harder to find and remove once the malware is active.
How does this variant reach your computer?
This particular strain of Gameover is being delivered through spam messages containing fake invoices.
The attachments don’t contain the malware itself; instead, they contain downloader malware known as Upatre.
Downloaders do exactly what their name suggests: they call home and fetch the latest malware version that the crooks want to distribute.
Fake invoice emails are similarly straightforward but effective: they claim to contain some sort of payment advice for a purchase you know you didn’t make; the crooks hope you will open the attachment as the first step in contesting the payment.
Here is an example message:
In this case the campaign is targeted at French speakers and purports to be from HSBC France.
The Upatre downloader is attached as an EXE file (a Windows program) inside a ZIP file named Avis.de.Paiement.zip.
What happens if you open the fake invoice?
If you launch the file, it downloads an unstructured lump of data – known to programmers as a BLOB, short for “binary large object” – which is actually an obfuscated and compressed copy of the Gameover malware:
The downloader then unscrambles and launches Gameover.
When it launches, Gameover installs into your Application Data directory, tagging itself with a short block of system-specific binary data.
This “tagging” serves two purposes: the installed copy is tied to your computer, so it won’t run anywhere else if it is taken away for analysis; and your copy of the malware is unique, so that simple checksum-based file matching can’t be used to detect it.
Normally, Gameover then injects itself into other processes and exits.
This is where the new variant drops and installs the Necurs rootkit, which is implemented as a kernel driver.
Two drivers – a 32-bit and a 64-bit version – are unscrambled using one of a selection of decryption and decoding algorithms, including RC4, as seen here:
Then, further shellcode is decrypted and executed to setup and load the appropriate driver.
We can see that the code first checks to see if the Necurs device object NtSecureSys already exists:
If it does not, the appropriate driver will be loaded.
If the system is 32-bit and you do not have administrator rights, the malware tries to exploit an aging vulnerability known as CVE-2010-4398 to elevate its privilege so it can load the driver.
The exploit relies on a specially-crafted registry entry and, somewhat curiously, the use of a system function associated with End-User Defined Characters (EUDCs), as seen here:
If you are patched against this vulnerability, then the loading of the rootkit will trigger a User Account Control (UAC) prompt – an immediately-suspicious side effect, considering that the file you just opened was supposed to be an invoice.
If you are running XP, which doesn’t have UAC, and you aren’t an administrator, the rootkit can’t prompt for permission to load, ironically making you very slightly safer.
The 64-bit driver is digitally signed, but with an unsigned and obviously bogus certificate:
64-bit versions of Windows usually insist that drivers are signed with verified certificates, so the malware tries to reconfigure your system so that it will accept unverified drivers.
The malware uses the BCEDIT Boot Configuration Editor utility to set the TESTSIGNING boot option, allowing the malicious driver to be loaded:
What does the rootkit do?
Once active, the rootkit protects the Gameover malware so that you can’t delete it:
It also stops you killing off the Gameover process:
The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet.
What does this apparent collaboration between the Gameover and Necurs gangs mean?
We don’t know for sure – perhaps the the two groups are joining forces, or perhaps the Necurs source code has been acquired by the Gameover gang.
Whatever the reason, the addition of the Necurs rootkit to an already-dangerous piece of malware is an unwelcome development.
Learning more about bots and botnets
Gameover is just one of many bots and botnets that are currently at large on the internet.
If you’d like to know more about the what, how and why of these threats, you might like to listen to our Techknow podcast on the subject: