Incident Response, Malware, TDR

Gameover trojan uses rootkit to remain stealthy, tougher to remove

Researchers have discovered a Gameover variant of the Zeus trojan that has been modified to include the Necurs rootkit, which makes the malware tougher to detect and remove by protecting files on the disk and memory.

“Once active, the rootkit protects the Gameover malware so that you can't delete it,” James Wyke, senior threat researcher with SophosLabs UK, wrote in a Feb. 27 post. “It also stops you killing off the Gameover process.”

This version of Gameover is delivered through fake invoice spam that contains Upatre downloader malware, Wyke wrote, explaining that the downloader unscrambles and launches an obfuscated and compressed copy of the malware.

The malware installs to the Application Data directory and is tied to the victim's computer, so it cannot be run anywhere else for analysis, Wyke wrote.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.