Security Protection – Harry Waldron MVP Rotating Header Image

Rootkits – Necurs used by GOZ Botnet

F-Secure highlights Necurs rootkit which is built in a modular fashion as “crimeware for sale” and is being used to help hide some botnet attacks

http://www.f-secure.com/weblog/archives/00002717.html

QUOTE: Necurs is a kernel mode driver best known at the moment for being used by Gameover Zeus (GOZ) to hinder attempts to detect and remove the malware. During our analysis we came across some interesting details of Necur’s gradual uptake as a “crimeware for sale” module.  In February 2014 that we saw the driver included in GOZ, which raised its profile considerably. The GOZ botnet is estimated to run into hundreds of thousands of infections and it is mainly used for online banking theft.

Before Necurs was incorporated, GOZ had been operating without an associated driver. Its addition to the botnet’s operations was rather curious, as it occurred about 2.5 months before the United States’ Federal Bureau of Investigations (FBI) started their takedown operations. The Necurs driver’s design is interesting in that it doesn’t require any changes by the authors for use by a third party. The dropper code used by both the Necurs trojan-downloader and GOZ to create and install the Necurs driver is the same, so the author has provided everything needed for the driver to be taken into use.

Comments are closed.