This news is a couple of days old but I didn't see anything posted. New dangerous version of Vawtrak banking Trojan that appeared in July is back in a new form with a vengence, and is apparently propagating like wildfire worldwide. Examples of Recent Headlines: "Vawtrak is Back and Stronger than Ever" "Banking Trojan Vawtrak: Harvesting Passwords Worldwide" AVG has an extensive White Paper on it. Scary Stuff: http://now.avg.com/wp-content/uploads/2015/03/avg_technologies_vawtrak_banking_trojan_report.pdf Sorry if it's a dupe, but did a search first.
I've read it, basically you need HIPS that can stop code injection, and can also block or spot modification to browser and explorer hooks.
I'm curious how this thing gets privileges sufficient to enable SRP, set kernel hooks, stuff like that. Looks like the AVG researchers haven't figured out that mechanism yet. Grimly amusing to see that Trusteer Rapport doesn't do what it's supposed to, because the trojan hooks the same bog-standard API functions that it does. Gee, you can intercept the keystrokes before Trusteer can, who'da thunk? The dropper mechanism they describe is astonishingly boring, though. Especially the social engineering mechanism. Double extension, gee whiz! Any antivirus that lets that through is certainly not worth paying for IMO. Edit: the most sinister aspect, I think, is that it communicates with C&C servers over HTTP. This would make C&C communications hard to spot unless you ran a transparent proxy for HTTP.
@ Gullible Jones Any software that injects code into other processes can modify "user mode hooks". As long as you run with the same integrity if I'm correct. Tools like Trusteer, Zemana, SpyShelter and HMPA are designed to block or spot modifications to browser memory. The only problem is that legitimate apps might sometime also do it, so I believe they are using white-listing, in order to avoid problems. https://www.mwrinfosecurity.com/articles/dynamic-hooking-techniques-user-mode/
@Rasheed187 Thanks for the link! I'm pretty sure that using SRP to disable AV software requires admin privileges, though. (And if your AV can be disabled without admin privileges, then again, it's not worth the price tag.) Edit: re Trusteer - so they install their hooks in user mode, and call it protection against locally installed malware? Because it definitely isn't.
Oh look.. Trustport isn't on the list of ones it disables.. Security through obscurity? Also Trustport contains a very powerful HIPS that would likely stop this, as it would be attempting to work it's magic in spaces Trustport has listed as 'protected' spaces. Finally, this wouldn't bypass UTM/NGFW based scanners, since those aren't running on machines, and would scan the file in-stream on the download, and purge it (likely). Reinforcing the importance of a UTM.
Is Linux also exploitable, eg. on the fly code injections, or are certain Windows specific modules required eg. to communicate with C&C's ?
That's the point, almost always preventing those infection is ridiculously easy, you don't need this and that products to block them. So we security enthusiasts have to "dream" targeted attack scenario or sth, to justfy our setup! lol Well, using http for C&C is relatively common way in recent targeted attack, but interestingly many of them give up it when you use (not transparent) proxy, it is not because precaution against detection, but simply because those malware are not capable of connecting proxy―bit incredible! Ofc more advanced malware can connect via proxy.
Well, opposite is also true, any software can reject injection or hook by LoadLibrary, SetWindowsHookEx, and/or CreateRemoteThread from the same priv process, and in certain circumstance even can "counter attack" the injecting process if writer wanted to do so. But anyway most program accept hook, and it seems GJ's point is another: sure, to change SRP setting they have to access HKLM so admin priv is required.
My comments were a response on Gullible Jones mentioning of Trusteer. Personally I think "injections and API hooking" is the most interesting thing, If you disrupt that, it's game over for these banking trojans. Old skool HIPS could not do it, so that's why I'm quite impressed with tools like HMPA, Webroot, Zemana and SpyShelter, at least from a technical point of view. Although I have never actually tested them against banking trojans.
Hi, I haven't kept up with AV technology. How does an AV catch a double extension file? thanks, ---- rich
@Rmus - I don't know if any do, but a very simple regular expression would probably do the trick, e.g. \.[^.]+\. would match any filename containing a dot followed by any number of letters followed by another dot, e.g. niftypic.png.exe It wouldn't even be necessary to block it from opening - for this type of social engineering exploit, it would probably suffice to make the system treat such filenames as if the files had no-exec permissions set. That was .tar.gz files, for instance, could be opened while .pdf.exe files would not be executed.
I thought you mentioned that AV should catch this trick. That seems complicated to me! But I don't understand this type of coding, anyway. It was much easier 10 years ago when this trick was quite popular in the wild (do you remember Netsky?) The trick was to leave many spaces between the two file names. In this case: In the default window position of WinZip, the second extension did not show. I tested in those days with an early version of Faronics Anti-Executable which I installed on users' home computers. It had Copy protection which blocked the file from being extracted to disc and opened, in case the user selected to Open the file, because the file did not match the White List Hash/Location on Disk information. ---- rich
Tho it can be off topic and nitpicking, maybe that's too generic? How about it... ^.*\.[0-9a-zA-Z]+\.[0-9a-zA-Z]+$
@142395 yeah, that would be better. My thought was that a filename like, say 'com.foobar.mycoolapp.jar' would be a corner case; and also not a Windows executable. The intersection of 'filenames containing two dots' and 'things you want to execute as native Windows binaries' should be very, very small. Edit: using a line anchor is probably smart, however one could embed newlines in the file name. That's an old UNIX malware trick.
I made silly mistake...corrected and I hope this is proper expression. Initial one actually specifies e.g. example.#%&.<>+ Sorry, what is line anchor... do you mean "_"?? Can you give me an example of that trick, or link to that malware?
@142395 I meant the '$', sorry. An example of that old trick would be having a file named e.g. Code: niftypic.png .exe with a literal newline character (or literal carriage return and newline for Windows maybe?) between the two extensions. That can wreak all kinds of havoc on programs that make assumptions about filenames, and coincidentally won't match your regex.
From the article: And: Chanitor Downloader actively installing Vawtrak http://research.zscaler.com/2015/01/chanitor-downloader-actively-installing.html This shouldn't be much of a threat, it seems to me. Even if I'm tricked by the social engineering stuff, the .scr file can do nothing, as I showed in my post #13 above. This type of trickery has been around for at least 10 years. ---- rich
Thanks @Rmus ,so the apparently high (and increasing) levels of infection, are primarily indicators of general low (or non-existant) levels of protection? I would expect that it wouldn't affect Wilders members
Hi Dermot7, I've never found it useful to attempt to figure out the reported statistics of levels of infection. Numbers can be very sensational and impressive, but generally meaningless, from my point of view. A few quotes from a recent search: How can I know the situations under which these users were infected? Who cares! Unless, however, a user comes for some help or advice... Many of the articles give impressive analyses of what the malware does once installed. From a preventative standpoint, who cares! Better use of the article's space would be to reiterate how easy most of this stuff is to prevent, and discuss policies and procedures that users can employ proactively. ---- rich
Indeed, thanks Rmus, that's kind of what I was thinking, and anyway selling Security Software and services is a huge business nowadays, and one can't expect the vendors to teach people how not to need their products, but that might seem a somewhat negative view, and I agree with the need to explain and teach, but we also know that many many will just not learn (or even want to), and prefer to concentrate on the 'happy clicking'...
Perhaps not, that's just telling it like it is. Vendors sell products, that is their business. To their credit, some vendors offer some proactive advice, such as AVG does with this link in their PDF cited in hawki's post, : http://now.avg.com/german-phishing-scam-spreading-globally/ Otherwise, the reader has to be on guard not to become too fearful from the scary evidence presented in these articles as to what can happen when infected with this malware. ---- rich