Malware uses Windows security feature to block security software

Summary:Trend Micro finds malware using Windows Software Restriction Policies to block security software from running.

Trend Micro researchers have written about a twist in the BKDR_VAWTRAK banking malware in Japan. It is using Windows Software Restriction Policies (SRP) to restrict the privileges of security software, including Trend's.

SRP is a feature that was introduced in Windows XP and Windows Server 2003 and is generally administered through Group Policy. It is designed to allow administrators to blacklist and whitelist specific executable programs, or to restrict them to unprivileged (standard user) execution.

This is not the first time SRP has been used by malware, but Trend Micro says that the prominence of VAWTRAK attacks makes it more significant.

SRP can also be invoked with the Local Policy Editor in any version of Windows:

SRP.sample

And since policies translate to registry keys on the systems being managed, it is also possible to create the registry keys directly, which is what Trend Micro reports the malware does. In the example above, the registry keys are placed in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers.

When the user attempts to run the executable, they are prevented by Windows from doing so:

SRP.blockage

The malware must itself be executing in a privileged context in order to create these registry keys, and it must execute in spite of the presence of the security software it is attempting to block. Potentially, updates to the security software could find the malware, but not if the malware has been blocked in this way.

Ironically, the Microsoft TechNet article introducing SRP on new years day 2002 describes how it can be used to "fight viruses." The other purposes described in the article are:

  • Regulate which ActiveX controls can be downloaded

  • Run only digitally signed scripts

  • Enforce that only approved software is installed on system computers

  • Lockdown a machine

Trend Micro lists 53 products and companies for which the malware looks on the infected system. If it finds any, it creates an SRP for that program.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.