GameOver Zeus Now Using Encryption to Bypass Detection

Cybercriminals have tweaked the way the malware GameOver Zeus is delivered to users’ machines, changing .exe files to .enc files to evade detection.

Cybercriminals have begun to tweak the way the GameOver Zeus Trojan is being delivered to users’ machines, making it easier for the banking malware to evade detection and steal victims’ credentials.

To get the job done the malware has been working in tandem with the malware Upatre.

For about a week now criminals have been changing the .exe files Upatre downloads to non-executable .enc files. According to a computer forensics expert, this is how the malware, which spreads via spam e-mails and malicious attachments, can avoid being spotted by firewalls, Web filters and other security defenses.

Gary Warner, a director of research in computer forensics at the University of Alabama at Birmingham posted about the trick and included a handful of spam email examples on his Cybercrime & Doing Time blog yesterday.

The file, while encrypted, can still be executed after a user opens a .zip file (found in spam e-mail attachments which initiates a domino effect, downloading the GameOver Zeus file.

The .zip files download the .enc files from the internet, decrypts the file, “placing it in a new location with a new file name, and then causing it both to execute and to be scheduled to execute in the future,” Warner says.

As .enc files aren’t inherently malicious, none of the 50 security programs at VirusTotal, Google’s free detection service, are currently marking attachments carrying them as so.

Warner noticed the trend when a colleague, Brendan Griffin, a malware analyst at the firm Malcovery sent along a series of spam messages, some purporting to come from the Better Business Bureau, Skype and the IRS, among other agencies, spreading the malware.

skype_zeusThe behavior has been happening consistently since that time and Warner is stressing that both spam campaigns, GameOver and Upatre, are still very much related and are still being powered by the Cutwail botnet.

Spam emails spreading Gameover, a variant of the Zeus malware, have been making the rounds for two years or so. The F.B.I initially sounded the alarm over bogus emails from the FDIC and NACHA carrying it in 2012 and shortly thereafter the Trojan leveraged the Cutwail botnet to spread the spam messages further.

According to Boldizsár Bencsáth, a researcher at Hungary’s CrySys Lab who helped Warner’s research, technically the .enc file is compressed then XOR’ed with a 32-bit key before Upatre reverses the process, in turn creating the .exe file.

Upatre is the malware that popped up last year and was studied extensively by Microsoft and Dell’s SecureWorks. The malware is basically used to download other malware, and like GameOver, is also primarily spread via spam.

Bencsáth notes on CrySys’s blog that while the droppers sent out via spam emails are small, he was able to find a small (5k) downloader that he discovered can connect to a server, download the .enc file, decrypt, decompress and execute it, resulting in GameOver.

In addition to Bencsáth, Warner also gives a tip of the hat to GoDaddy’s William MacArthur and Dell Secure Works’ Brett Stone-Gross, who also assisted in the research.

Last fall, Microsoft noticed the Cutwail botnet distributing Upatre malware via spam and through exploit kits targeting Java and PDF vulnerabilities to the tune of over one million reported infections, a colossal spike over statistics from prior months.

Suggested articles