Dangerous 'Vawtrak Banking Trojan' v2 Harvesting Passwords Worldwide

Discussion in 'other security issues & news' started by hawki, Mar 27, 2015.

  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    This news is a couple of days old but I didn't see anything posted. New dangerous version of Vawtrak banking Trojan that appeared in July is back in a new form with a vengence, and is apparently propagating like wildfire worldwide.

    Examples of Recent Headlines:

    "Vawtrak is Back and Stronger than Ever"

    "Banking Trojan Vawtrak: Harvesting Passwords Worldwide"

    AVG has an extensive White Paper on it. Scary Stuff:

    http://now.avg.com/wp-content/uploads/2015/03/avg_technologies_vawtrak_banking_trojan_report.pdf

    Sorry if it's a dupe, but did a search first.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I've read it, basically you need HIPS that can stop code injection, and can also block or spot modification to browser and explorer hooks.
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    I'm curious how this thing gets privileges sufficient to enable SRP, set kernel hooks, stuff like that. Looks like the AVG researchers haven't figured out that mechanism yet.

    Grimly amusing to see that Trusteer Rapport doesn't do what it's supposed to, because the trojan hooks the same bog-standard API functions that it does. Gee, you can intercept the keystrokes before Trusteer can, who'da thunk?

    The dropper mechanism they describe is astonishingly boring, though. Especially the social engineering mechanism. Double extension, gee whiz! Any antivirus that lets that through is certainly not worth paying for IMO.

    Edit: the most sinister aspect, I think, is that it communicates with C&C servers over HTTP. This would make C&C communications hard to spot unless you ran a transparent proxy for HTTP.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    @ Gullible Jones

    Any software that injects code into other processes can modify "user mode hooks". As long as you run with the same integrity if I'm correct. Tools like Trusteer, Zemana, SpyShelter and HMPA are designed to block or spot modifications to browser memory. The only problem is that legitimate apps might sometime also do it, so I believe they are using white-listing, in order to avoid problems.

    https://www.mwrinfosecurity.com/articles/dynamic-hooking-techniques-user-mode/
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @Rasheed187 Thanks for the link! I'm pretty sure that using SRP to disable AV software requires admin privileges, though.

    (And if your AV can be disabled without admin privileges, then again, it's not worth the price tag.)

    Edit: re Trusteer - so they install their hooks in user mode, and call it protection against locally installed malware? Because it definitely isn't. :p
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Oh look.. Trustport isn't on the list of ones it disables.. Security through obscurity? Also Trustport contains a very powerful HIPS that would likely stop this, as it would be attempting to work it's magic in spaces Trustport has listed as 'protected' spaces. Finally, this wouldn't bypass UTM/NGFW based scanners, since those aren't running on machines, and would scan the file in-stream on the download, and purge it (likely). Reinforcing the importance of a UTM.
     

    Attached Files:

  7. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Is Linux also exploitable, eg. on the fly code injections, or are certain Windows specific modules required eg. to communicate with C&C's ?
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    That's the point, almost always preventing those infection is ridiculously easy, you don't need this and that products to block them. So we security enthusiasts have to "dream" targeted attack scenario or sth, to justfy our setup! lol
    Well, using http for C&C is relatively common way in recent targeted attack, but interestingly many of them give up it when you use (not transparent) proxy, it is not because precaution against detection, but simply because those malware are not capable of connecting proxy―bit incredible! Ofc more advanced malware can connect via proxy.
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Well, opposite is also true, any software can reject injection or hook by LoadLibrary, SetWindowsHookEx, and/or CreateRemoteThread from the same priv process, and in certain circumstance even can "counter attack" the injecting process if writer wanted to do so. But anyway most program accept hook, and it seems GJ's point is another: sure, to change SRP setting they have to access HKLM so admin priv is required.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    My comments were a response on Gullible Jones mentioning of Trusteer. Personally I think "injections and API hooking" is the most interesting thing, If you disrupt that, it's game over for these banking trojans. Old skool HIPS could not do it, so that's why I'm quite impressed with tools like HMPA, Webroot, Zemana and SpyShelter, at least from a technical point of view. Although I have never actually tested them against banking trojans.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi,

    I haven't kept up with AV technology. How does an AV catch a double extension file?

    thanks,

    ----
    rich
     
  12. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @Rmus - I don't know if any do, but a very simple regular expression would probably do the trick, e.g.

    \.[^.]+\.

    would match any filename containing a dot followed by any number of letters followed by another dot, e.g. niftypic.png.exe It wouldn't even be necessary to block it from opening - for this type of social engineering exploit, it would probably suffice to make the system treat such filenames as if the files had no-exec permissions set. That was .tar.gz files, for instance, could be opened while .pdf.exe files would not be executed.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I thought you mentioned that AV should catch this trick.

    That seems complicated to me! But I don't understand this type of coding, anyway.

    It was much easier 10 years ago when this trick was quite popular in the wild (do you remember Netsky?)

    The trick was to leave many spaces between the two file names. In this case:

    dataRtfScr.jpg

    In the default window position of WinZip, the second extension did not show. I tested in those days with an early version of Faronics Anti-Executable which I installed on users' home computers. It had Copy protection which blocked the file from being extracted to disc and opened, in case the user selected to Open the file, because the file did not match the White List Hash/Location on Disk information.

    netsky.gif


    ----
    rich
     
    Last edited: Apr 10, 2015
  14. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Tho it can be off topic and nitpicking, maybe that's too generic? How about it...
    ^.*\.[0-9a-zA-Z]+\.[0-9a-zA-Z]+$
     
    Last edited: Apr 11, 2015
  15. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @Yuki2718 yeah, that would be better. My thought was that a filename like, say 'com.foobar.mycoolapp.jar' would be a corner case; and also not a Windows executable. The intersection of 'filenames containing two dots' and 'things you want to execute as native Windows binaries' should be very, very small.

    Edit: using a line anchor is probably smart, however one could embed newlines in the file name. That's an old UNIX malware trick.
     
  16. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I made silly mistake...corrected and I hope this is proper expression. Initial one actually specifies e.g. example.#%&.<>+:confused:
    Sorry, what is line anchor... do you mean "_"??
    Can you give me an example of that trick, or link to that malware?
     
  17. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @Yuki2718 I meant the '$', sorry.

    An example of that old trick would be having a file named e.g.

    Code:
    niftypic.png
    .exe
    with a literal newline character (or literal carriage return and newline for Windows maybe?) between the two extensions. That can wreak all kinds of havoc on programs that make assumptions about filenames, and coincidentally won't match your regex.
     
  18. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    https://www.arbornetworks.com/asert/2015/04/neverquest-a-global-threat-targeting-financials/
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From the article:
    And:

    Chanitor Downloader actively installing Vawtrak
    http://research.zscaler.com/2015/01/chanitor-downloader-actively-installing.html
    This shouldn't be much of a threat, it seems to me. Even if I'm tricked by the social engineering stuff, the .scr file can do nothing, as I showed in my post #13 above.

    This type of trickery has been around for at least 10 years.

    ----
    rich
     
  20. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Thanks @Rmus ,so the apparently high (and increasing) levels of infection, are primarily indicators of general low (or non-existant) levels of protection? I would expect that it wouldn't affect Wilders members :)
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Dermot7,

    I've never found it useful to attempt to figure out the reported statistics of levels of infection. Numbers can be very sensational and impressive, but generally meaningless, from my point of view. A few quotes from a recent search:

    How can I know the situations under which these users were infected? Who cares! Unless, however, a user comes for some help or advice...

    Many of the articles give impressive analyses of what the malware does once installed. From a preventative standpoint, who cares! Better use of the article's space would be to reiterate how easy most of this stuff is to prevent, and discuss policies and procedures that users can employ proactively.

    ----
    rich
     
  22. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Indeed, thanks Rmus, that's kind of what I was thinking, and anyway selling Security Software and services is a huge business nowadays, and one can't expect the vendors to teach people how not to need their products, but that might seem a somewhat negative view, and I agree with the need to explain and teach, but we also know that many many will just not learn (or even want to), and prefer to concentrate on the 'happy clicking'...
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Perhaps not, that's just telling it like it is. Vendors sell products, that is their business.

    To their credit, some vendors offer some proactive advice, such as AVG does with this link in their PDF cited in hawki's post, :

    http://now.avg.com/german-phishing-scam-spreading-globally/

    Otherwise, the reader has to be on guard not to become too fearful from the scary evidence presented in these articles as to what can happen when infected with this malware.

    ----
    rich
     
Loading...