Vawtrak Trojan Now Increasingly Obscure by Employing Tor2Web, Finds Fortinet

Creators of Vawtrak the banking Trojan, whose other names are Snifula and Neverquest, are using the Tor2Web to make their servers obscure and so more difficult for security researchers to detect the malware's activity, says Fortinet the security company.

Till now Vawtrak's techniques such as stealing from banking websites, filching login credentials and breaking encryption have been significantly recorded; however, according to Fortinet presently, the Trojan has employed another technique of concealing its servers with the help of Tor2Web in order that it can now bypass detection much better.

The function of Tor2Web is helping to execute Tor's services while no direct connection occurs with the network, which actually implies that although people using the service can still be traced, their systems and servers relying on Tor can't.

Elaborating on this, Security Researcher Raul Alvarez with Fortinet says that the source code of Vawtrak contains a number of DWORD values corresponding with various domain-names. Softpedia.com reported this, June 9, 2015.

Alvarez says every DWORD value works like one seed utilized for producing its matching domain-name. Such seeds like fixed values get stored inside the source-code, thus generating identical pseudo-randomized domain-names. For acquiring any of these domain-names, Vawtrak employs that seed which corresponds to the particular domain-name for producing the latter's pseudo-randomized features.

Nevertheless, this method isn't foolproof as it's possible to crack the algorithm followed with finding the strings produced.

The malware has layers to help penetrate anti-malware software, limit consents, as well as make sure it persists when the victim reboots his computer.

In 2014, Vawtrak first worked like one banking Trojan with multifaceted features after which it also acquired the capability to inject into the Web to become dexterous at garnering PINs and Social Security Numbers prior to finally evolving for targeting retailers and social media besides banks.

Thus for remaining safe from Vawtrak's infection, one requires being watchful when online, although the Trojan may even then get in through other infection mediums, despite no direct interaction by the end-user. Hence, having up-to-date anti-virus programs is most essential no matter if the malware attempts at deactivating any anti-virus enabled on the host PC.

» SPAMfighter News - 6/18/2015