Endpoint Protection

How is Symantec Endpoint Protection protecting against BKDR_VAWTRAK ?

No news as of now, need to wait for the sec team to reply.

Possibly is with AV and IPS but this isn't the name Symantec uses...where did you see this?

Hi Shlueb,

Unfortunately it's not possible to confirm this by name alone.  We could with a specific unique hash of a sample, though.

(BKDR_VAWTRAK is another vendor's name- different companies detect threats and assign them different names.)

Just judging from VirusTotal, many files given that BKDR_VAWTRAK designation by another vendor are detected by Symantec and classified as Backdoor.Trojan, Trojan.Snifula.F, Trojan.Ransomlock.G and Trojan.Zbot.

Can you provide a MD5 of the variant you are concerned about?  Or is there anything else needed?  Please do keep this thread up-to-date!

With thanks in advance,

Mick

PS.  The article below gives best practice steps on how to ensure your defenses are raised against all manner of threats:

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

I am relying on Symantec to protect my environment.  I read articles related to cyber security everyday.  In this case, I have read reports of BKDR_VAWTRAK in the wild in Japan. It is rather nasty, using Windows features to disable over 50 security applications, including SEP.  It allows the attacker to gain control of your system and take whatever information they want.

I have tried to find reference to BKDR_VAWTRAK on the Symantec site, without success.

I only have other vendor names to go by.

If this helps...

Microsoft - Backdoor:Win32/Vawtrak.A
Trend Micro - BKDR_VAWTRAK.A

I do not have a hash of this malware.  I don't want it anywhere near me.

How is Symantec Endpoint Protection protecting me against this malware?

I do appreciate your comments, Mick2009, but they fall short of providing the warm and fuzzy.  Can you state, in no uncertain terms, that BKDR_VAWTRAK is detected by SEP as Backdoor.Trojan, Trojan.Snifula.F, Trojan.Ransomlock.G and Trojan.Zbot?

All of them?  Any one in particular?  I need to know for certain.

Do I need to open a support ticket?

In all the hashes I've checked, 20 or so, in addition to the names Mick mentioned I'm also seeing trojan.gen and trojan.dropper as detection names.

Thank you .Brian.

So I can tell my manager that BKDR_VAWTRAK is detected by SEP as Backdoor.Trojan, Trojan.Snifula.F, Trojan.Ransomlock.G, Trojan.Zbot, trojan.gen and trojan.dropper?  All of the above?

Hi Shlueb,

Computer Security is a world with few warm and fuzzies, I am afraid.  The threat landscape is pretty harsh and users and admins must be constantly vigilant to minimize risk.

All of the files currently in VirusTotal that are detected by TrendMicro as "BKDR_VAWTRAK.A" have a Symantec detection as "Trojan.Ransomlock.G."  Here is the write-up for that threat:

http://www.symantec.com/security_response/writeup.jsp?docid=2011-051715-1513-99

In addition to the SEP best practices above, I recommend reading these and then ensuring that your environment is as well secured as possible.

The Day After: Necessary Steps after a Virus Outbreak
https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

First Response to: Cryptolocker \ Ransomcrypt\ Encryptor
https://www-secure.symantec.com/connect/articles/first-response-cryptolocker-ransomcrypt-encryptor

Hope this helps!

Mick

Those are what I observed, yes.

Thank you, Mick.

I am in Computer Security and I am trying to maintain an "as warm and fuzzy as possible" state as possible.

I must say, after reading the Symantec writeup on Trojan.Ransomlock.G and the Trend Micro writeup on BKDR_VAWTRAK.A, I am more confused.

There does not seem to be any similarity - at all - in what these two pieces of malware do, with respect to the writeups.