The Trend Micro security engineers have discovered that a banking credentials stealer malware by the name of BKDR_VAWTRAK which is using (abusing) a Windows feature SRP to prevent the anti virus applications from identifying it as well as putting it into a quarantine.
BKDR_VAWTRAK bank credentials stealing malware uses Windows SRP feature to defend itself against AV
Trend Micro discovered this feature when investigating some Japanese Internet users who were infected by a trojan dubbed BKDR_VAWTRAK.  Trend Micro found that the BKDR_VAWTRAK  uses Windows to try to defeat the security software which work to identify the malware on infected machines. Like many other banking malware BKDR_VAWTRAK has data stealing capability focused on victim’s online banking credentials at some Japanese banks.

The malware specialists at Trend Micro noticed that malicious agent is abusing a Windows feature called Software Restriction Policies (SRP) to prevent victims’ systems almost all top Anti Virus and Security softwares like Trend Micro, ESET, AVG Symantec, Microsoft, Intel etc.  Trend Micro said that they had experimented with 53 different applications and found out that the BKDR_VAWTRAK defends itself against all of them. There are different ways to identify the application which can run on a system, for example by cryptographic hash, digital signature, their download source, or simply their path on the system.

BKDR_VAWTRAK is using the path on the system to discriminate the applications.

“The particular feature used by VAWTRAK to disable security software is known as Software Restriction Policies. It was first introduced in Windows® XP and Server 2003.” “There are several methods that can be used to identify which files are blocked from running on a system. In the case of VAWTRAK, it uses the path where the applications are installed to determine if they should be blocked or not. It looks for the following directories under the %Program Files% and %All Users Profile%Application folder, which are used by various security products”  reports the blog post published by Trend Micro.

The Windows Software Restriction Policies (SRP) are intended to give corporate administrators the control over the software run on any machine giving the system administrators a easy software management capability.

“Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.”

The BKDR_VAWTRAK malware search for directories related to the process to block, if it finds them it adds the following registry entries to force applications in that directory to run with restricted privileges:

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiersPaths{generated GUID for the AV software} ItemData = “{AV software path}” SaferFlags = “0”
“As a result, any file under the said directory would not run, returning the following error message:”
VAWTRAK malware

The BKDR_VAWTRAK has now been found only in Japan but given its skill sets of defending itself against different AVs it is bound to become a major headache for the security app makes as well as users in future.  The 53 AV softwares which could not identify it due to its defence mechanism are given below
  1. a-squared Anti-Malware
  2. a-squared HiJackFree
  3. Agnitum
  4. Alwil Software
  5. AnVir Task Manager
  6. ArcaBit
  7. AVAST Software
  8. AVG
  9. avg8
  10. Avira GmbH
  11. Avira
  12. BitDefender
  13. BlockPost
  14. Common FilesDoctor Web
  15. Common FilesG DATA
  16. Common FilesP Tools
  17. Common FilesSymantec Shared
  18. DefenseWall
  19. DefenseWall HIPS
  20. Doctor Web
  21. DrWeb
  22. ESET
  23. f-secure
  24. F-SecureF-Secure Internet Security
  25. FRISK Software
  26. G DATA
  27. K7 Computing
  28. Kaspersky Lab Setup Files
  29. Kaspersky Lab
  30. Lavasoft
  31. Malwarebytes
  32. Malwarebytes’ Anti-Malware
  33. McAfee
  34. McAfee.com
  35. Microsoft Security Client
  36. Microsoft Security Essentials
  37. MicrosoftMicrosoft Antimalware
  38. Norton AntiVirus
  39. Online Solutions
  40. P Tools Internet Security
  41. P Tools
  42. Panda Security
  43. Positive Technologies
  44. Sandboxie
  45. Security Task Manager
  46. Spyware Terminator
  47. Sunbelt Software
  48. Symantec
  49. Trend Micro
  50. UAenter
  51. Vba32
  52. Xore
  53. Zillya Antivirus

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here