Command and control servers more difficult to pinpoint

Jun 9, 2015 14:55 GMT  ·  By
Generated domain name in Vawtrak concatenated with the “tor2web.org” string
   Generated domain name in Vawtrak concatenated with the “tor2web.org” string

Some variants of Vawtrak banking Trojan, also known as Neverquest, have been found to hide their command and control (C&C) servers in Tor anonymity network, making the cybercriminal operation more difficult to disrupt.

Most versions of the malware rely on hard-coded IP addresses for the C&C, but this approach makes the domains used to deliver commands to the infected machine easy to discover via threat analysis techniques.

DGA is not foolproof

A different mechanism for making Vawtrak more resilient to takedown efforts involves a domain generation algorithm, which creates a set of domain names the malware contacts to receive commands.

Cybercriminals register only a small number of them because Vawtrak will check each of them until the appropriate response is received.

Raul Alvarez from Fortinet explains how the process works for this piece of malware, saying that Vawtrak’s code includes multiple DWORD values matching different domain names.

“Each DWORD value is a seed used to generate the domain name. These seeds are stored as fixed values within the malware code, thereby producing the same pseudo-randomized domain names. To generate the corresponding domain name, Vawtrak uses the seed to generate the pseudo-randomized characters of the domain name,” he says in a blog post.

However, this technique is not infallible because researchers can break the algorithm and find the strings generated.

Tor2Web proxy used to access hidden services

More recent variants of the threat rely on Tor2Web, a proxy that establishes a direct connection to a server in TOR network without the need for additional tools.

The strings generated by the DGA are for locations in Tor, and the author implemented a function that passes them through the Tor2Web proxy service.

Although a user connecting to the proxy service can be traced, the connection beyond it is not. Traffic in Tor is encrypted and routed through multiple machines that do not keep records of the origin and destination. The result is access to a server whose location is shrouded in anonymity.

Vawtrak includes multiple protection mechanisms (such as disabling antivirus solutions) that allow it to evade detection and analysis. After compromising a machine, it can pilfer credentials and record user activity (keystrokes, screenshots and video).

Its operator can access the system remotely through a VNC channel and alter web sessions by injecting fake content in order to collect passwords for online banking accounts and the additional codes needed to access them.