Paper: Nesting doll: unwrapping Vawtrak

Posted by   Virus Bulletin on   Jan 20, 2015

Raul Alvarez unwraps the many layers of an increasingly prevalent banking trojan.

Banking trojans remain one of the most prevalent kinds of malware. Among them, trojans based on Zeus have long been the most prevalent, but in recent months a relatively new trojan has been challenging the reign of Zeus: Vawtrak.

Also known as Neverquest or Snifula, Vawtrak initially targeted users of Japanese banking systems, but it has since broadened its scope. In a recent paper (pdf), Sophos researcher James Wyke looked at the malware's infection vector, as well how it targets banks and other financial institutions.

Today, we publish a paper by Fortinet researcher Raul Alvarez, in which he takes a close look at the malware itself. Like a Russian Matryoshka doll, it consists of multiple layers, with each layer (or doll) containing the next one until the final layer contains a malicious DLL.

  Matryoshka dolls. Source: Wikimedia Commons (CC BY-SA 3.0)

In his paper, Raul takes us through the various layers and explains how each layer contains various tricks to frustrate researchers and debuggers alike. This not only makes it an essential read for anyone studying Vawtrak, but also a good introduction to modern malware analysis, which is very much about distinguishing real from bogus instructions and avoiding traps laid out for researchers.

You can read the paper here in HTML format or here as a PDF. Remember that all content published by Virus Bulletin can be read free of charge, with no registration required.

  Decryption algorithm used by Vawtrak. Only the highlighted instructions are relevant; the rest are garbage instructions.

If you like this paper, be sure to read previous articles Raul wrote for Virus Bulletin, including analyses of W32/Huhk and the Neshta file infector.

Posted on 20 January 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

Nominations opened for sixth Péter Szőr Award

Virus Bulletin is seeking nominations for the sixth annual Péter Szőr Award.

Haroon Meer and Adrian Sanabria to deliver VB2019 closing keynote

New additions to the VB2019 conference programme include a closing keynote address from Thinkst duo Haroon Meer and Adrian Sanabria and a talk on attacks against payment systems.

Free VB2019 tickets for students

Virus Bulletin is excited to announce that, thanks to generous sponsorship from Google Android, we are able to offer 20 free tickets to students who want to attend VB2019.

VB2018 paper: Lazarus Group: a mahjong game played with different sets of tiles

The Lazarus Group, generally linked to the North Korean government, is one of the most notorious threat groups seen in recent years. At VB2018 ESET researchers Peter Kálnai and Michal Poslušný presented a paper looking at the group's various…

Book your VB2019 ticket now for a chance to win a ticket for BSides London

Virus Bulletin is proud to sponsor this year's BSides London conference, which will take place next week, and we have a number of tickets to give away.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.