Notorious "Gameover" malware gets itself a kernel-mode rootkit...

Filed Under: Featured, Malware

Zeus, also known as Zbot, is a malware family that we have written about many times on Naked Security.

We've covered it as plain old Zbot.

We've covered the Citadel variant, which appeared when the original Zbot code was leaked online.

We've even written about the time it pretended to be a Microsoft fix for CryptoLocker, a completely different strain of malware.

Currently, the most widespread Zbot derivative is the Gameover bot, also known as Zeus P2P because of its use of peer-to-peer network connectivity for command and control.

The Gameover gang has been trying new techniques recently: hot on the heels of code to target logged-in users of cloud-based CRM comes the introduction of a kernel-mode rootkit.

The code for this rootkit comes from another notorious malware family known as Necurs.

A brief history of Zbot/Zeus

Malware in the Zbot family is built to steal information, primarily login credentials, and it is good at its job.

Early Zbot versions employed a user-mode rootkit that would hide the Zbot directory and registry entries from user-land tools.

However, by Version 2 of the malware, this rootkit had been dropped as it was largely ineffective.

Instead Zbot began to inject its code into system processes and browsers, hooking important software functions in order to snoop on the data passing through the system.

In the latest Gameover development, the Necurs rootkit has been added to protect the malware files on disk and in memory, making it harder to find and remove once the malware is active.

How does this variant reach your computer?

This particular strain of Gameover is being delivered through spam messages containing fake invoices.

The attachments don't contain the malware itself; instead, they contain downloader malware known as Upatre.

Downloaders do exactly what their name suggests: they call home and fetch the latest malware version that the crooks want to distribute.

Fake invoice emails are similarly straightforward but effective: they claim to contain some sort of payment advice for a purchase you know you didn't make; the crooks hope you will open the attachment as the first step in contesting the payment.

Here is an example message:

In this case the campaign is targeted at French speakers and purports to be from HSBC France.

The Upatre downloader is attached as an EXE file (a Windows program) inside a ZIP file named

What happens if you open the fake invoice?

If you launch the file, it downloads an unstructured lump of data - known to programmers as a BLOB, short for "binary large object" - which is actually an obfuscated and compressed copy of the Gameover malware:

The downloader then unscrambles and launches Gameover.

When it launches, Gameover installs into your Application Data directory, tagging itself with a short block of system-specific binary data.

This "tagging" serves two purposes: the installed copy is tied to your computer, so it won't run anywhere else if it is taken away for analysis; and your copy of the malware is unique, so that simple checksum-based file matching can't be used to detect it.

Normally, Gameover then injects itself into other processes and exits.

This is where the new variant drops and installs the Necurs rootkit, which is implemented as a kernel driver.

Two drivers - a 32-bit and a 64-bit version - are unscrambled using one of a selection of decryption and decoding algorithms, including RC4, as seen here:

Then, further shellcode is decrypted and executed to setup and load the appropriate driver.

We can see that the code first checks to see if the Necurs device object NtSecureSys already exists:

If it does not, the appropriate driver will be loaded.

If the system is 32-bit and you do not have administrator rights, the malware tries to exploit an aging vulnerability known as CVE-2010-4398 to elevate its privilege so it can load the driver.

The exploit relies on a specially-crafted registry entry and, somewhat curiously, the use of a system function associated with End-User Defined Characters (EUDCs), as seen here:

If you are patched against this vulnerability, then the loading of the rootkit will trigger a User Account Control (UAC) prompt - an immediately-suspicious side effect, considering that the file you just opened was supposed to be an invoice.

If you are running XP, which doesn't have UAC, and you aren't an administrator, the rootkit can't prompt for permission to load, ironically making you very slightly safer.

The 64-bit driver is digitally signed, but with an unsigned and obviously bogus certificate:

64-bit versions of Windows usually insist that drivers are signed with verified certificates, so the malware tries to reconfigure your system so that it will accept unverified drivers.

The malware uses the BCEDIT Boot Configuration Editor utility to set the TESTSIGNING boot option, allowing the malicious driver to be loaded:

What does the rootkit do?

Once active, the rootkit protects the Gameover malware so that you can't delete it:

It also stops you killing off the Gameover process:

The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet.

What next?

What does this apparent collaboration between the Gameover and Necurs gangs mean?

We don't know for sure - perhaps the the two groups are joining forces, or perhaps the Necurs source code has been acquired by the Gameover gang.

Whatever the reason, the addition of the Necurs rootkit to an already-dangerous piece of malware is an unwelcome development.

Learning more about bots and botnets

Gameover is just one of many bots and botnets that are currently at large on the internet.

If you'd like to know more about the what, how and why of these threats, you might like to listen to our Techknow podcast on the subject:

NB. Sophos products detect and block the various components of this malware under the following names:

  • HPmal/Zbot-C
  • Troj/ZbotMem-B
  • Troj/NecKMem-A
  • Mal/DrodZp-A
  • Troj/Zbot-HTQ
  • Troj/Zbot-HTS
  • Troj/Necurs-BD

, , , , , , , , , , , , ,

You might like

19 Responses to Notorious "Gameover" malware gets itself a kernel-mode rootkit...

  1. NoSpin1600 · 585 days ago

    Run Linux as your desktop and you can avoid a lot, not all, of the headaches of malware, viruses, etc.

    • Paul Ducklin · 585 days ago

      Ironically, a major factor contributing to the large number of infected Windows _desktops_ is the large number of hacked or infected Linux _servers_.

      I don't have precise figures, but it's reasonable to say that most of the servers that are taken over by crooks to serve as a distribution and download vector for their malware are running Linux, often unpatched and frequently very heaviled "pwned."

      In this article, for example, you can see the downloader pulling its malicious BLOB from what looks very much like a WordPress instance running on nginx.

      That's unlikely to be a server actually owned and operated by the crooks for the purpose of malware dissemination - it's probably an otherwise-innocent but insecure, unpatched, and hacked server run by an otherwise-innocent Linux user :-(

      • Conrad Longmore · 585 days ago

        Although client-side exploits for Linux are rare.. but they do happen. It's not a million miles away from what happens with Macs. There are not so many exploits that targets those systems, but there's a tendency for the systems to be not well protected (because the owners think "they don't get malware").

        On a side note.. I wonder if we'll see an uptick in Linux installations when Windows XP goes out of support. If there is growth in the installed Linux base then it will probably attract more attackers.

        • Sadly, I suspect that what we'll see when Windows XP goes out of support is an enormous number of people running compromised XP machines.

      • Anonymous · 585 days ago

        If you run a vulnerable version of WordPress on a Windows server you are just as vulnerable. There is no indication here that the security of the underlying OS is to blame here.

        • Paul's comment isn't about the vulnerability of the underlying OS it's about the bald fact that there are, out there in the real world, a very, very large number of compromised Linux machines indeed.

          • Paul Ducklin · 584 days ago

            Indeed. Richard Stallman might have a conniption about it, but I am using the term "Linux" in the general sense. I mean "a computer with loads of stuff on it, all of which runs on top of GNU/Linux," much like the original poster mention "desktop Linux," presumably including the X Window System, KDE (or Gnome, or whatever), a browser, and much more.

            Saying, "But it was WordPress's fault!" (it was probably a plugin, actually :-) doesn't really help.

      • Los Hermanos · 585 days ago

        That would't be a problem if you use a Linux desktop computer.

        For all the rest, your story is true to the bone, exept for the 'infected linux server' part. Those servers are not infected or hacked, but the software that's running on them might be compremised, for instance cms's like Joomla, WordPress and several other php-like instances.

        You can't, and shouldn't, blame the Linux OS for that.

        • Paul Ducklin · 584 days ago

          I didn't blame "the Linux OS" for anything. I'm just using the phrase "Linux computer" in the same way that people say they are "running Windows" or "using OS X".

          Anyway, surely if Linux is *that* safe, admins who choose it should have lots more time to keep the software they run on it properly patched, and far fewer excuses for not doing so?

          For such a jolly secure operating system, Linux certainly seems to attract a kot of careless users :-)

          • Anonymous · 501 days ago

            You certainly are trying to blame Linux for the failures of the software packages installed....and your getting defensive about it.

      • anonymous · 585 days ago

        Not to mention that the user has to download a zip and run an exe.

  2. EveryOSisSacred · 585 days ago

    Another linux noob with no idea.

  3. Anonymous · 584 days ago

    The problem is users not updating their wordpress. Linux as a desktop is very secure... You are not running a server visible on the internet when you do this...

    • Paul Ducklin · 584 days ago

      When you say "the problem is X," do you mean that "X is a possible explanation, perhaps even a likely one, in this individual case we are talking about?"

      And "Linux as a desktop" is only as secure as....well, the sum of all the parts, from the OS kernel and all its drivers, to your browser plugins. (As for your desktop not being visible on the internet, hmmmmmm. Maybe if it isn't connected to the internet.)

  4. Yevgeniy · 583 days ago

    Hi, nice post!!!
    Can you please post MD5 or SHA1 of the analyzed samples.


  5. Anonymous · 578 days ago

    What happens if you are an administrator with UAC set to the highest level?

    • Paul Ducklin · 578 days ago

      We set the UAC "security slider" to the top of the scale and launched the malware both from Explorer and from a command prompt. (To be precise, by "we," I mean that James Wyke did the work and I'm telling you about it :-)

      The kernel driver (i.e. the rootkit executable) loaded without any UAC prompt. That, presumably, is because a process running as Admin is supposed to be able to load and unload kernel drivers.

      So...errrr...don't use an Administrator account to read fake invoices.

  6. Moritz Kroll · 574 days ago

    Thanks for the interesting read!

    But the drivers are actually just encrypted with a 32-bit XOR key (the fields you called RC4Key1 and RC4Key2). var_108 is a crypt object, whose first dword field decides, whether it's an RC4 encryption (=0), 32-bit XOR (=1), Base64FromUnicode (=2), Base64FromAscii (=3), or 8-bit XOR with each previous byte (=4).

    [Comment edited for length]

    • Paul Ducklin · 573 days ago

      Thanks for the note! We've clarified that in the text.

      (We also changed the word we used to describe the main decryption/decoding loop to "unscrambled." If something is encrypted with a hard-wired, built-in key, then calling it "encrypted" can be slightly misleading...does the user have to provide some kind of key?)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

James Wyke is a Senior Threat Researcher with SophosLabs UK