Trend Micro researchers have written about a twist in the BKDR_VAWTRAK banking malware in Japan. It is using Windows Software Restriction Policies (SRP) to restrict the privileges of security software, including Trend's.
SRP is a feature that was introduced in Windows XP and Windows Server 2003 and is generally administered through Group Policy. It is designed to allow administrators to blacklist and whitelist specific executable programs, or to restrict them to unprivileged (standard user) execution.
This is not the first time SRP has been used by malware, but Trend Micro says that the prominence of VAWTRAK attacks makes it more significant.
SRP can also be invoked with the Local Policy Editor in any version of Windows:
And since policies translate to registry keys on the systems being managed, it is also possible to create the registry keys directly, which is what Trend Micro reports the malware does. In the example above, the registry keys are placed in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers.
When the user attempts to run the executable, they are prevented by Windows from doing so:
The malware must itself be executing in a privileged context in order to create these registry keys, and it must execute in spite of the presence of the security software it is attempting to block. Potentially, updates to the security software could find the malware, but not if the malware has been blocked in this way.
Ironically, the Microsoft TechNet article introducing SRP on new years day 2002 describes how it can be used to "fight viruses." The other purposes described in the article are:
- Regulate which ActiveX controls can be downloaded
- Run only digitally signed scripts
- Enforce that only approved software is installed on system computers
- Lockdown a machine
Trend Micro lists 53 products and companies for which the malware looks on the infected system. If it finds any, it creates an SRP for that program.