By Brian Prince on September 04, 2014
Attackers have broadened both the capabilities and targets of malware first spotted primarily targeting financial institutions in Japan.
According to PhishLabs, the reach of the Vawtrak malware has been expanded to include social networks, online retailers, analytics firms and game portals across several different countries including the United States, Canada and the U.K. In addition, newer configurations of the Vawtrak botnet have advanced web injects that enable the theft of additional personal information for exploiting the victim's account.
Just how big the botnet is isn't easy to say.
"In estimating the magnitude and scope of the Vawtrak botnet threat accurately, PhishLabs takes into account first-hand sources such as the number of Vawtrak botnets and partitions, as well as logs from the spam botnets…and exploit kits (recently, Nuclear Pack) used to distribute Vawtrak," Don Jackson, director of threat intelligence at PhishLabs, explained in an email.
"The most authoritative source is the Vawtrak admin panels used to manage the botnets themselves," he continued. "Of the infection numbers from admin panels available to PhishLabs R.A.I.D. [Research, Analysis, and Intelligence Division], the total number Vawtrak infections increased from approximately 65,000 in 2013, to a number that fluctuates between 100,000 [and] 300,000 currently."
SecurityWeek/ full article here/ http://www.securityweek.com/vawtrak-malware-expands-targets-capabilities-phishlabs
Userlevel 7
+54
By Abigail Wang 28/09/2014 EXCERPT:
Due to advanced data-hiding tactics, it might be harder for authorities to detect and stop criminal activity. Vawtrak's new webinject capabilities allow it to modify data in web traffic even if it's been secured with encryption. This lets it steal login credentials, automate fraudulent transactions within online banking sessions, and put in form fields into legitimate webpages to gather additional personal information.
Full Article
Waging a Cyber Battle
As of now, Vawtrak specifically targets the U.S., Canada, the UK, Australia, Turkey, and Slovakia. Newer versions of the Vawtrak botnet can capture additional personal data to exploit victims by using webinjects.Due to advanced data-hiding tactics, it might be harder for authorities to detect and stop criminal activity. Vawtrak's new webinject capabilities allow it to modify data in web traffic even if it's been secured with encryption. This lets it steal login credentials, automate fraudulent transactions within online banking sessions, and put in form fields into legitimate webpages to gather additional personal information.
Full Article
Userlevel 7
The following article is a update:
Security experts say that a new version of the increasingly notorious Vawtrak malware has been spotted with significant code and configuration changes.
Also known as NeverQuest and Snifula, Vawtrak injects a DLL into browser processes. When the targeted URLs are visited by an infected user, the malware inserts extra code into the web page. That extra code is used for a number of reasons, including bypassing two-factor authentication, a new paper from Sophos notes.
"The updates are mostly about disguising where the malware connects when it "calls home" to fetch its instructions on what to do next," blogged Sophos James Wyke. "Additionally, the way that Vawtrak communicates with its so-called command-and-control (C&C) servers has been adapted so that the malware's traffic looks less suspicious. We have also observed new configuration files being deployed, and an interesting trend in the commands sent back by the C&C servers when an infected computer first checks in."
More specifically, the updates included how the list of command and control server addresses are stored inside the Vawtrak program file. In addition, the malware makes heavy use of pseudorandom numbers produced by a Linear Congruential Generator (LCG) algorithm that scrambles the data it contains.
full article
Vawtrak' Banking Malware Continues to Evolve
By Brian Prince on December 22, 2014Security experts say that a new version of the increasingly notorious Vawtrak malware has been spotted with significant code and configuration changes.
Also known as NeverQuest and Snifula, Vawtrak injects a DLL into browser processes. When the targeted URLs are visited by an infected user, the malware inserts extra code into the web page. That extra code is used for a number of reasons, including bypassing two-factor authentication, a new paper from Sophos notes.
"The updates are mostly about disguising where the malware connects when it "calls home" to fetch its instructions on what to do next," blogged Sophos James Wyke. "Additionally, the way that Vawtrak communicates with its so-called command-and-control (C&C) servers has been adapted so that the malware's traffic looks less suspicious. We have also observed new configuration files being deployed, and an interesting trend in the commands sent back by the C&C servers when an infected computer first checks in."
More specifically, the updates included how the list of command and control server addresses are stored inside the Vawtrak program file. In addition, the malware makes heavy use of pseudorandom numbers produced by a Linear Congruential Generator (LCG) algorithm that scrambles the data it contains.
full article
Userlevel 7
The following article is a update:
Crooks behind Vawtrak, a dangerous banking Trojan, are ramping up its reach and sophistication, security firms have warned.
Vawtrak currently ranks as the single most dangerous threat, according to PhishLabs. Only Zeus and its many variants (GameOver, KINS, ZeusVM, Zberp, etc.) taken as a single malware "family" would outrank Vawtrak.
Original Vawtrak attacks primarily targeted financial institutions in Japan but recently observed configuration files extend attacks on social networks, online retailers, analytics firms, game portals and more. Geographic distribution has apparently been expanded to specifically target the US, Canada, the UK, Australia, Turkey, and Slovakia.
The technical sophistication of the worm has also increased through the incorporation of advanced webinjects that enables the capture of additional personal information.
Vawtrak is typically delivered through one of three different method: as the payload of an exploit kit, through malicious spam email attachments or by getting downloaded onto already compromised systems as a secondary malware infection.
full article
.
Vawtrak challenges almighty ZeuS as king of the botnets
27 Dec 2014 at 13:30, John LeydenCrooks behind Vawtrak, a dangerous banking Trojan, are ramping up its reach and sophistication, security firms have warned.
Vawtrak currently ranks as the single most dangerous threat, according to PhishLabs. Only Zeus and its many variants (GameOver, KINS, ZeusVM, Zberp, etc.) taken as a single malware "family" would outrank Vawtrak.
Original Vawtrak attacks primarily targeted financial institutions in Japan but recently observed configuration files extend attacks on social networks, online retailers, analytics firms, game portals and more. Geographic distribution has apparently been expanded to specifically target the US, Canada, the UK, Australia, Turkey, and Slovakia.
The technical sophistication of the worm has also increased through the incorporation of advanced webinjects that enables the capture of additional personal information.
Vawtrak is typically delivered through one of three different method: as the payload of an exploit kit, through malicious spam email attachments or by getting downloaded onto already compromised systems as a secondary malware infection.
full article
.
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.