To Customer Support To Customer Support

Vawtrak Trojan Hides Updated Server List in Website Icons

  • 25 March 2015
  • 1 reply
  • 1 view
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
By Ionut Ilascu    25 Mar 2015
 
http://i1-news.softpedia-static.com/images/news2/Vawtrak-Trojan-Hides-Updated-Server-List-In-Website-Icons-476711-2.jpg
 
Over 13,000 Canadians affected by recent Vawtrak campaign
 
Banking Trojan Vawtrak is continually evolving, with its authors finding new ways to evade detection and the methods used for communication, the latest approach being to use favicons to store the updated list of command and control servers and deliver it to the infected machine.
 
Favicons are icons displayed in browser tabs for the loaded websites in order to make browsing more comfortable and efficient. They are small image files, approximately 4KB in size.
 

Update C&C servers are in hidden in Tor

 
An analysis from AVG’s Jakub Kroustek revealed on Tuesday that the operators behind one version of Vawtrak now rely in some versions of the malware on digital steganography, a method that allows concealing data in images, such as text in favicons.
 
Full Article

1 reply

Petrovic
Rank
Userlevel 7
Badge +52
The Vawtrak (aka Snifula) multifunctional malware has been around since mid-2013. Its information-stealing, backdoor and spying capabilities deservedly earned it the description as the "Swiss army knife" of malware.

Since its creation, the authors have been constantly tweaking it, changing features, target regions or banks. Spread via exploit kits, malware downloaders and through drive-by downloads, chances are good that at one time or other many users have run into it.

This February, for example, researchers have repeatedly spotted it being delivered via malicious macros.

AVG developer Jakub Kroustek has recently penned a whitepaper analyzing the threat and the latest improvements it received. Among these is an improved way of receiving updated lists of live C&C:

"[The malware's] update servers are hosted on the Tor hidden Web services and they are accessed via a Tor2web20 proxy without a need to install any special software such as Torbrowser. Moreover, the communication with the remote server is done over SSL, which adds further encryption," he explained.
 
Full Article
Helpful Webroot Links: Download (PC) | Download (Best Buy Subscription) | Submit Support Ticket | Account Console | User_Guides | BrightCloud URL lookup

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.