Step aside Zeus, Vawtrak has claimed your throne
This bad boy labeled ‘Vawtrak’, which has been lurking around for some time (since before December 2014) is gaining serious momentum, infecting machines across the globe and being continuously developed with
very cunning update and command and control functionality.
So first of all what does Vawtrak do? So far, it has been discovered (by AVG, Sophos, Kaspersky and all the usual suspects) to:
- Theft of multiple types of passwords used by user online or stored on a local machine;
- Injection of custom code in a user-displayed web pages (this is mostly related to online banking);
- Surveillance of the user (key logging, taking screenshots, capturing video);
- Creating a remote access to a user’s machine (VNC, SOCKS)
Worried yet? You should be, and as if that isn’t enough, read on.
As well as all of the above, Vawtrak uses the TOR network to exfiltrate your precious data and also to receive updates. Not happy enough with a straightforward encrypted stream, the Vawtrak criminals use stenography to hide updates within Favicons, the miniature icons you find in your browsers.
Any of you who tried to solve the Cicada 3301 puzzle will be familiar with stenography which hides data within images without changing the look of the image and being statistically difficult to discover. The Cicada example can be seen here if you are so inclined.
Delivered via Phishing emails, drive by visits to infected web sites and via good old fashioned exploit kits like Angler, Vawtrak is also very difficult to spot and does a good job of evading AntiVirus, which are trying to keep track with the continuous development of this nasty piece of work.
As with many things, prevention is easier than cure and we recommend that as well as keeping your AV up to date, you remind your users about not opening mail from people they don’t know and certainly not clicking on links in these mails. It is amazing how many people do!
Also keep your URL filtering up to date and, if you have it, enable functionality on your firewalls that can detect rogue DNS addresses (used for command and control servers) from the vendors global database (Palo Alto has this functionality for instance).
You should also identify traffic to and from rogue destinations and TOR exit nodes, again regularly updated from as many sources as you can get your hands on.
Sounding tricky? Fortunately help is at hand. All of the functionalities above are standard parts of ITC’s award winning NetSure360° managed security service which we can deploy much quicker and easier than you would think, continuously monitoring your environment from our 24 hour security operations centre in London’s Docklands.
If you would like to know more about our services or just have a good old chat about your never ending security issues, please do contact us at: 020 7517 3900 or email: [email protected]