The password-stealing ZeuS variant, Gameover, is now using encryption
to get around perimeter security kit like firewalls and intrusion
detection systems.
Malcovery's Gary Warner outlines the new behaviour of the malware at his blog, here, on the basis that the threat needed to be known beyond the circle of the company's customers.
Gameover ZeuS is a password-stealer, and has been spotted in attacks against Bitcoin users in China, and against CryptoLocker.
Warner
writes that the .EXE file associated with Gameover ZeuS should by now
be spotted by up-to-date security, so the malware's authors have begun
encrypting the file and distributing it as a non-executable .ENC file.
Of
course, a .ENC file isn't executable (which is why it could get a pass
mark from security systems), so the authors have to find some way to
decrypt it at the target. They do this via a file included in the
phishing e-mail that kicks off an attack: “the .zip file attached to the
email has a NEW version of UPATRE that first downloads the .enc file
from the Internet and then DECRYPTS the file, placing it in a new
location with a new filename, and then causing it both to execute and to
be scheduled to execute in the future”, Warner writes.
Boldizsár Bencsáth, from CrySys Lab in Hungary, explains the encryption here.
It's not terribly sophisticated (since the purpose isn't to hide
sensitive data, but merely to present security systems with a file
format they'll ignore): the file is compressed, then XORd with a 32-bit
key. The e-mail dropper that infects victims simply reverses this
process
No comments:
Post a Comment