Malware uses Windows security feature to block security software

Malware uses Windows security feature to block security software

Summary: Trend Micro finds malware using Windows Software Restriction Policies to block security software from running.

SHARE:
TOPICS: Security
108

Trend Micro researchers have written about a twist in the BKDR_VAWTRAK banking malware in Japan. It is using Windows Software Restriction Policies (SRP) to restrict the privileges of security software, including Trend's.

SRP is a feature that was introduced in Windows XP and Windows Server 2003 and is generally administered through Group Policy. It is designed to allow administrators to blacklist and whitelist specific executable programs, or to restrict them to unprivileged (standard user) execution.

This is not the first time SRP has been used by malware, but Trend Micro says that the prominence of VAWTRAK attacks makes it more significant.

SRP can also be invoked with the Local Policy Editor in any version of Windows:

SRP.sample

And since policies translate to registry keys on the systems being managed, it is also possible to create the registry keys directly, which is what Trend Micro reports the malware does. In the example above, the registry keys are placed in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers.

When the user attempts to run the executable, they are prevented by Windows from doing so:

SRP.blockage

The malware must itself be executing in a privileged context in order to create these registry keys, and it must execute in spite of the presence of the security software it is attempting to block. Potentially, updates to the security software could find the malware, but not if the malware has been blocked in this way.

Ironically, the Microsoft TechNet article introducing SRP on new years day 2002 describes how it can be used to "fight viruses." The other purposes described in the article are:

  • Regulate which ActiveX controls can be downloaded

  • Run only digitally signed scripts

  • Enforce that only approved software is installed on system computers

  • Lockdown a machine

Trend Micro lists 53 products and companies for which the malware looks on the infected system. If it finds any, it creates an SRP for that program.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

108 comments
Log in or register to join the discussion
  • Just had to chuckle at the irony...

    Subject says it all.
    TheRealUMLGuy
  • No big deal...

    The malware clearly needs to be executed with administrative privileges in order to modify the Registry key that controls Software Restriction Policies. If you're still running your daily activities under an administrator account (on Windows XP) or without User Account Control protection (Windows Vista, 7, 8.x) you're practically calling problems over yourself.
    leonsk29
    • ... and who designed it that way?

      ... Who d'ya think?

      Step forward Microsoft.

      Don't blame users for poor security design; blame the designer.
      Heenan73
      • How is such items supposed to controlled

        So the UAC is poor design, and to install the software you need admin privileges... How is that poor design? Or are you an ABM.
        schultzycom
        • lol how?

          how is that not being bad desing?

          its horrible
          Uglyulytruth
          • How is that not bad spelling?

            :)
            cornpie
          • how is bad spelling relevant

            you microcrap creeps really have nothing smart to say
            Uglyulytruth
          • You're really not up with things are you

            The mis-spellings/typings are clearly a feature of some/all versions of Windows. How could it be otherwise?!
            ego.sum.stig
        • poor because

          Every app you install on windows wants admin so eventually something gets in. At least on nix many things install and run in user context.
          LarsDennert
          • Suporting data please.

            "Every app you install on windows wants admin so eventually something gets in."

            This may have been the case prior to Windows Vista's release. But since then software has been designed to work with least privileges (as Microsoft required in order to obtain Windows certification on Windows 2000...so it's been 14 or so years).
            ye
          • Good thing, 14 years.

            It's good to know things are going so well for Windows security for such a long time.

            So everyday people can run it without AV like Linux Mint 17 Cinnamon?
            Joe.Smetona
          • Yes, they can. Have been able to for a long, long, long time.

            nt
            ye
          • YES

            Yes you can run windows without AV but I wouldn't recommend it but you can; you will need to minimize your internet activities to safe sites and don't install software unless its from a trusted source. I will not tell you windows by default is as good a Linux; but Linux users tend to be more technical; if your running Linux and chances are your not going to install malware or anything, just from fact that Linux user are more technically inclined when compare to windows user base.
            Meansman
          • OK,

            So install Microsoft Office (you choose the version) as admin and choose what Microsoft believes to be the most commonly used settings. This means that many extra features are set to be installed on first use. Then log in as a non-admin and try to install one of those extra features.... it ain't happening without admin rights.

            This happens in Windows 7 and Windows 8 and it still happens with Office 365. I've had the problem with users on our domain.
            benched42
      • ...

        Clearly you don't understand anything about computer security, don't you? If you execute a program under a privileged user account, the program inherits the rights of that user account. It's the same thing on Windows, Linux and Mac OS. What part of that you don't understand? The post clearly states "the malware needs to be run in a privileged context".
        leonsk29
        • clearly you dont

          since you are microcrap user you have no idea what security really is
          Uglyulytruth
          • Instead of name calling....

            Instead of name calling how about you rebut his statement, correct where you think he is wrong, but saying he a MS user so he doesn't know anything about security is condescending and childish.
            Meansman
          • no...

            thats truth
            Uglyulytruth
        • That isn't always true... It depends on the distribution...

          Linux does support mandatory access controls.

          And that can override any privileges of the account.

          An example is Apache running on Red Hat servers. Apache is started by root, yes - but it looses privileges immediately, before the first instruction gets executed.

          The apache executable is labeled with the privileges it is permitted to use, and it can only access files that are also correctly labeled. It can't even reach scratch files (ie the /tmp directory). It cannot write files... even if they have world write access - unless those files also have the correct MAC labels. This alone prevents defacements if the web server is penetrated.

          In addition to the MAC labels, apache runs under its own UID/GID. Apache cannot even access files owned by that UID unless the security labels permit the access.

          This makes it rather difficult to do much via a vulnerability. Cause problems? Sure, no question. But the system is effectively saved by having the apache process compartmented and isolated from the rest of the system.
          jessepollard
          • Actually, it's the same thing...

            What do you think features like Software Restriction Policies and AppLocker are? Mandatory access control security measures of Windows. They control the execution of software regardless of the privileges of users running them.
            leonsk29