Gootkit

Gootkit is a spyware program and banking Trojan that can exfiltrate your information or hijack your bank account. Its campaigns depend on corrupted e-mail attachments and links for circulating and include ongoing updates that focus on sophisticated anti-detection mechanisms. Since there are minimal symptoms of infections, victims should have anti-malware programs available for blocking or removing Gootkit, and re-secure their accounts and credentials afterward.

A Trojan Delivery in Extra-Fancy Packaging

The four-year-old Gootkit is a mostly-normal example of a banking Trojan with additional spyware properties in its payload, with campaigns running throughout Europe – such as Italy – and other areas. It can terminate processes at will, collect sensitive information like passwords, intercept or maliciously modify your Internet communications for hijacking bank accounts, or collect encryption credentials from tokens and removable drives. However, malware analysts are finding that it offers somewhat more exceptional meat to bite into its defenses.

Besides these privacy-demolishing attacks, recent versions of Gootkit show advancements in both maintaining itself in a protected environment and keeping security solutions from doing anything about it. The highlights include:

• Packing provides Gootkit with some protection versus static threat-detecting rulesets.
• Gootkit uses a sub-category of memory injection, process hollowing, for running inside of another memory process. Since the 'host' process isn't threatening, this configuration can let Gootkit circumvent various detection metrics.
• Gootkit uses a 'Heaven's Gate' exploit for anti-debugging.
• The Trojan also uses several string checks and other flags for determining whether it's in a virtual environment, in which case, it hibernates in an infinite loop.
• Gootkit's last trick is a combination of Registry triggers and a same-named 'INF' file that gives it an auto-launching capability upon reboot. Malware experts are emphasizing this feature for its absence in all similar threats, banking Trojans and otherwise, to date.

Simple Resolutions against Complex Threats

Gootkit is a modest cornucopia of useful and innovative techniques for the cyber-security industry's further analysis. These features, however, do little about changing how it behaves against its victims, which typically are business sector workers. Its infection methods are using, as one, particularly prominent example, e-mail spam that's pretending that it's a failed delivery notification from a shipping service. The template includes well-designed social engineering components, such as the company's logo and native-fluency language.

Victims of Gootkit infections should operate under the assumption that passwords and similar credentials, as well as their bank accounts, are available for a remote attacker's misuse. They can take privacy re-securing steps such as changing their security information and contacting their bank after removing the threat from their computer. Be sure of running the most up-to-date version of your anti-malware solution's database before using it for deleting Gootkit, which may require other steps for blocking its auto-starting routine – for example, rebooting into Safe Mode.

Gootkit is a for-profit enterprise, rather than a state-sponsored one, but its code shows similar signs of leaps in tactical cleverness. Users who don't click on unexpected e-mail attachments will be far safer than anyone hoping that they'll identify a threat like this Trojan after the fact.