Gameover variant of Zeus trojan slips by security as encrypted file

Share this article:
The Gameover variant of the Zeus banking trojan has recently been observed sneaking past defenses.
The Gameover variant of the Zeus banking trojan has recently been observed sneaking past defenses.

The Gameover variant of the nefarious Zeus banking trojan has recently been observed sneaking past defenses as an encrypted EXE file, according to researchers with Malcovery, a provider of security intelligence and forensic analysis through services and software.

According to a Sunday post by Gary Warner, CTO of Malcovery, this latest tweak to the Gameover delivery method involves encrypting the EXE file so it does not appear as an executable file, thus allowing it to slip undetected through firewalls, webfilters, network intrusion detections systems and other perimeter security.

“In the new delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future,” Warner said in the post.

In October 2013, researchers with Dell SecureWorks Counter Threat Unit (CTU) identified a malware downloader called “Upatre” being delivered via spam, which at the time was observed using an encrypted SSL connection to download the Gameover malware directly from compromised web servers.

The spam element still plays a role in this latest campaign.

“The malware delivery mechanism through spam email remains the same,” Brett Stone-Gross, a senior security researcher with Dell SecureWorks CTU, said in an email to SCMagazine.com. Warner posted images of emails containing Upatre that fool recipients by purporting to come from well-known groups, including Staples and the IRS.

However, security professionals have caught on to the encrypted SSL connection delivery method.

“The encrypted connections over SSL can be detected by intercepting the network traffic (through a technique known as a man-in-the-middle attack) to decrypt the communications on-the-fly, and by identifying anomalies in the SSL certificate generation process that is used to encrypt the traffic,” Stone-Gross said.

Gameover has many similar properties to Zeus, such as logging keystrokes to steal banking credentials, but also has been packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

More exploits, including Silverlight attack, packed in Nuclear kit

More exploits, including Silverlight attack, packed in Nuclear ...

Since the year's start, the number of exploits used by the kit has doubled, Trend Micro found.

Researchers discover Tinba variant with 64-bit support, other tricks

Researchers discover Tinba variant with 64-bit support, other ...

Seculert researchers discovered a variant of the Tinba banker trojan that can infect more systems and better skirt detection.

Policy violation letters trick SMB workers into downloading malware

Bitdefender researchers detected an uptick in computers infected by Zbot via dozens of ARJ-compressed files.