NEWS FROM THE LAB - Friday, March 14, 2014

Gameover ZeuS Jumps on the Bitcoin Bandwagon Posted by Sean @ 11:14 GMT

We're always asking our analysts the following question: seen anything interesting? And yesterday, the answer to our query was this: Gameover ZeuS has some additional strings.

Very interesting, indeed.

Here's a screenshot of the decrypted strings:

Gameover ZeuS Bitcoin strings

  •  aBitcoinQt_exe
  •  aBitcoind_exe
  •  aWallet_dat
  •  aBitcoinWallet
  •  aBitcoinWalle_0

Bitcoin wallet stealing has really moved up from the bush leagues. Gameover ZeuS is a pro.

Analysis is ongoing.

Here's the SHA1: 657b1dd40a4addc1a6da0fb50ee6e325fff84dc4

Analysis by — Mikko Suominen

Updated to add:

Gameover ZeuS can now steal both Bitcoin wallets and the passwords used to encrypt them.

Theft is accomplished by hooking two functions in processes named bitcoin-qt.exe (the normal GUI client) and bitcoind.exe (the client used for Bitcoin mining). The hooked functions are:

  •  The Windows API NtCreateFile
  •  A function in the Bitcoin process that is called when the user encrypts his Bitcoin wallet

The first hook enables Gameover ZeuS to steal the content of the Bitcoin wallet as the Bitcoin client accesses it. The second hook enables Gameover ZeuS to steal the password the victim uses to encrypt his wallet.