The Trend Micro security engineers have discovered that a banking credentials stealer malware by the name of BKDR_VAWTRAK which is using (abusing) a Windows feature SRP to prevent the anti virus applications from identifying it as well as putting it into a quarantine.
Trend Micro discovered this feature when investigating some Japanese Internet users who were infected by a trojan dubbed BKDR_VAWTRAK. Trend Micro found that the BKDR_VAWTRAK uses Windows to try to defeat the security software which work to identify the malware on infected machines. Like many other banking malware BKDR_VAWTRAK has data stealing capability focused on victim’s online banking credentials at some Japanese banks.
The malware specialists at Trend Micro noticed that malicious agent is abusing a Windows feature called Software Restriction Policies (SRP) to prevent victims’ systems almost all top Anti Virus and Security softwares like Trend Micro, ESET, AVG Symantec, Microsoft, Intel etc. Trend Micro said that they had experimented with 53 different applications and found out that the BKDR_VAWTRAK defends itself against all of them. There are different ways to identify the application which can run on a system, for example by cryptographic hash, digital signature, their download source, or simply their path on the system.
BKDR_VAWTRAK is using the path on the system to discriminate the applications.
“The particular feature used by VAWTRAK to disable security software is known as Software Restriction Policies. It was first introduced in Windows® XP and Server 2003.” “There are several methods that can be used to identify which files are blocked from running on a system. In the case of VAWTRAK, it uses the path where the applications are installed to determine if they should be blocked or not. It looks for the following directories under the %Program Files% and %All Users Profile%Application folder, which are used by various security products” reports the blog post published by Trend Micro.
The Windows Software Restriction Policies (SRP) are intended to give corporate administrators the control over the software run on any machine giving the system administrators a easy software management capability.
“Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.”
The BKDR_VAWTRAK malware search for directories related to the process to block, if it finds them it adds the following registry entries to force applications in that directory to run with restricted privileges:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiersPaths{generated GUID for the AV software} ItemData = “{AV software path}” SaferFlags = “0”
“As a result, any file under the said directory would not run, returning the following error message:”
The BKDR_VAWTRAK has now been found only in Japan but given its skill sets of defending itself against different AVs it is bound to become a major headache for the security app makes as well as users in future. The 53 AV softwares which could not identify it due to its defence mechanism are given below
- a-squared Anti-Malware
- a-squared HiJackFree
- Agnitum
- Alwil Software
- AnVir Task Manager
- ArcaBit
- AVAST Software
- AVG
- avg8
- Avira GmbH
- Avira
- BitDefender
- BlockPost
- Common FilesDoctor Web
- Common FilesG DATA
- Common FilesP Tools
- Common FilesSymantec Shared
- DefenseWall
- DefenseWall HIPS
- Doctor Web
- DrWeb
- ESET
- f-secure
- F-SecureF-Secure Internet Security
- FRISK Software
- G DATA
- K7 Computing
- Kaspersky Lab Setup Files
- Kaspersky Lab
- Lavasoft
- Malwarebytes
- Malwarebytes’ Anti-Malware
- McAfee
- McAfee.com
- Microsoft Security Client
- Microsoft Security Essentials
- MicrosoftMicrosoft Antimalware
- Norton AntiVirus
- Online Solutions
- P Tools Internet Security
- P Tools
- Panda Security
- Positive Technologies
- Sandboxie
- Security Task Manager
- Spyware Terminator
- Sunbelt Software
- Symantec
- Trend Micro
- UAenter
- Vba32
- Xore
- Zillya Antivirus