Defense Mechanism of a Banking Malware presented at Bsidesottawa 2015

by Raul Alvarez,

Summary : Vawtrak, also called NeverQuest, is a banking malware that targets banks and other financial institutions all over the world. It is a sophisticated malware that challenges the likes of Zeus and other malevolent trojans. Newer versions of Vawtrak use Tor2web to access its hidden C&C servers.
Vawtrak is a very sophisticated malware not only in its malicious features, but also in its code. It uses a new modern technique called layering, similar to a Matryoshka doll, wherein the original malware produces another malware from within its binaries.
Using Tor2web, the malware also tries to avoid aggressive take downs of its servers by the good guys. In this presentation, we will look into how the malware uses a DGA to generate it’s C&C domain names, and how it implements a similar DGA to access its hidden servers.
In this presentation, we will also focus into how Vawtrak implements Anti-Emulator, Anti-Debugger, Anti-Analysis, Encryption/Decryption/Hashing, Compression/Decompression, Garbage collection, and Code injection. Vawtrak uses all possible armoring tricks and techniques in order to dodge detection and analysis. We will look into how the malware uses layers in its code and how it integrates the different armoring techniques in its layers.
A demonstration will be shown on how the malware, within the context of a debugger, generates the domain names and how it tries to access Tor network via Tor2web. We will also navigate into some of its malicious activities.