GameOver Latest Zeus variant uses Encryption to bypass Detection – Gary

 

zeus

Source :myce

GameOver Zeus is a notorious malware family that makes fraudulent transactions from your bank accounts from the infected host. A new variant of GameOver Zeus uses encryption to hide itself while propagation which makes it almost impossible to be detected by modern day antivirus. The malware encrypts itself so well that it can pass the perimeter detection like firewalls, ids and various other detection systems in place.

The new variant of GameOver malware encrypts  ‘.EXE’ file to a non-executable format i.e. ‘.ENC’ file, so that the malware which spreads via spam e-mails and malicious attachments can avoid being spotted by firewalls, IDS, Web filters and other security defenses.  Initial identification was done by Brendan Griffin from Malcovery security. 

To spread on large scale, the SPAM campaign using ‘Cutwail’ botnet, which is designed to look like an official correspondence from banks or some government agencies that trick user to open the attached.zip file. These .zip files contain a small .exe file whose primary job is to go out to the Internet and download larger more sophisticated malware that would never pass through spam filters without causing alarm, but because of the way our perimeter security works, are often allowed to be downloaded by a logged in user from their workstation.– Gary said

In the new spam delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .ENC file  and then decrypts the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future.

He adds that William MacArthur of GoDaddy, Brett Stone-Gross of Dell Secure Works, and Boldizsár Bencsáth from CrySys Lab in Hungary also helped him to get to this conclusion. Technical article of the encryption of this malware is available here

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>