Multifunctional Vawtrak malware now updated via favicons
The Vawtrak (aka Snifula) multifunctional malware has been around since mid-2013. Its information-stealing, backdoor and spying capabilities deservedly earned it the description as the “Swiss army knife” of malware.
Since its creation, the authors have been constantly tweaking it, changing features, target regions or banks. Spread via exploit kits, malware downloaders and through drive-by downloads, chances are good that at one time or other many users have run into it.
AVG developer Jakub Kroustek has recently penned a whitepaper analyzing the threat and the latest improvements it received. Among these is an improved way of receiving updated lists of live C&C:
“[The malware’s] update servers are hosted on the Tor hidden Web services and they are accessed via a Tor2web20 proxy without a need to install any special software such as Torbrowser. Moreover, the communication with the remote server is done over SSL, which adds further encryption,” he explained.
“The list of servers can be updated by a file obtained from those update C&Cs. Vawtrak’s author(s) made the detection of such communication with its servers more difficult by communicating only while the user is browsing the Internet (i.e. while a browser produces a network traffic). Furthermore, Vawtrak uses steganography to hide those update lists inside the favicons on the update servers.”
For those who might not know, favicons – also known as Web site icons and bookmark icons – are files containing one or more small icons associated with a particular website.
Their nature makes them not seem suspicious, while their small size (around 4 kB) is still enough to carry an (encrypted) update file hidden inside.
“The most effective way to avoid infection by Vawtrak is to stay vigilant about online phishing and scams. However, Vawtrak may still find its way via the other infection vectors , even without a user’s direct interaction. Therefore, having an efficient and updated antivirus solution is a must-have,” says Kroustek, despite the fact that it tries to disable any running AV software it finds on the target machine (the list is considerable):
For more technical details and information about its capabilities, check out the whitepaper.