![CarmeloWalsh[.]com](https://www.carmelowalsh.com/wp-content/themes/twentyten/images/headers/sunset.jpg)
Vawtrak is a banking Trojan that has been spreading in recent months. It infects victims via malware downloaders, exploit kits, or through drive-by downloads (e.g. spam email attachments or links). AVG has a white paper (pdf) full of details.
Vawtrak performs the following actions:
- Disables antivirus protection.
- Communicates with remote Command & Control servers – executes commands from a remote server, sends stolen information, downloads new versions of itself and web-injection frameworks.
- Hooks standard API functions, injects itself into new processes.
- Steals passwords, digital certificates, browser history, and cookies.
- Logs keystrokes.
- Takes screenshots of desktop or particular windows with highlighted mouse clicks.
- Captures user actions on desktop in an AVI video.
- Opens a VNC (Virtual Network Computing) channel for a remote control of the infected machine.
- Creates a SOCKS proxy server for communication through the victim’s computer.
- Changes or deletes browser settings (e.g. disable Firefox SPDY) and history.
- Vawtrak supports three major browsers to operate in – Internet Explorer, Firefox, and Chrome. It also supports password stealing from the other browsers.
- Modifies browser communication with a web server.
- Stores internal settings into encrypted registry keys.
Attackers will spam with authentic looking emails, with items that are pricy, playing on victims to feel that someone hacked their Amazon account and forces them to immediately investigate by checking the order number. Hovering over the hyperlinks reveals that, unmaintained and compromised WordPress sites carry a drive-by download, waiting for a victim to visit.
The best way to avoid Vawtrack, stay vigilant to online phishing scams, click bait, and wandering off the trusted paths on the Internet.
