Pierluigi Paganini June 14, 2014

The malware specialists at Trend Micro noticed that malicious agent BKDR_VAWTRAK is abusing a Windows feature SRP to prevent victims’ defense systems.

Experts at Trend Micro have discovered that Japanese Internet users are being infected by a trojan, dubbed BKDR_VAWTRAK, which uses Windows to try to defeat security software on infected machines. Like many other banking malware BKDR_VAWTRAK has data stealing capability focused on victim’s online banking credentials at some Japanese banks.

The malware specialists at Trend Micro noticed that malicious agent is abusing a Windows feature called Software Restriction Policies (SRP) to prevent victims’ systems from running a wide range of security programs, including antivirus software from  Trend Micro, ESET, AVG Symantec, Microsoft, Intel and many others for a total of 53 different applications. There are different ways to identify the application which can run on a system, for example by cryptographic hash, digital signature, their download source, or simply their path on the system.

BKDR_VAWTRAK is using the path on the system to discriminate the applications.

“The particular feature used by VAWTRAK to disable security software is known as Software Restriction Policies. It was first introduced in Windows® XP and Server 2003.” “There are several methods that can be used to identify which files are blocked from running on a system. In the case of VAWTRAK, it uses the path where the applications are installed to determine if they should be blocked or not. It looks for the following directories under the %Program Files% and %All Users Profile%\Application folder, which are used by various security products”  reports the blog post published by Trend Micro.

The BKDR_VAWTRAK malware search for directories related to the process to block, if it finds them it adds the following registry entries to force applications in that directory to run with restricted privileges:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{generated GUID for the AV software} ItemData = “{AV software path}” SaferFlags = “0”

“As a result, any file under the said directory would not run, returning the following error message:”

The Software Restriction Policies (SRP) are intended to give corporate administrators the control over the software that the machines can run, administrators can easily manage the application with application blacklists.

“Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.”

This is a very interesting case because is the demonstration of the capabilities of the author of malware which succeeded to benefit of a feature implemented by an OS to defend the machine from malicious code.

As confirmed by the experts, this isn’t the first malware to use a similar technique against defense software, it’s significant because BKDR_VAWTRAK has hit Japanese users.

Pierluigi Paganini

(Security Affairs –  DDoS, Zeus)