Technology News

latest updates from easySERVICE™

Windows Software Restriction Policies (SRP) to restrict the privileges of security software

malware

Trend Micro researchers have written about a twist in the BKDR_VAWTRAK banking malware in Japan. It is using Windows Software Restriction Policies (SRP) to restrict the privileges of security software, including Trend’s.

SRP is a feature that was introduced in Windows XP and Windows Server 2003 and is generally administered through Group Policy. It is designed to allow administrators to blacklist and whitelist specific executable programs, or to restrict them to unprivileged (standard user) execution.

This is not the first time SRP has been used by malware, but Trend Micro says that the prominence of VAWTRAK attacks makes it more significant.

SRP can also be invoked with the Local Policy Editor in any version of Windows:

SRP.sample

And since policies translate to registry keys on the systems being managed, it is also possible to create the registry keys directly, which is what Trend Micro reports the malware does. In the example above, the registry keys are placed in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers.

When the user attempts to run the executable, they are prevented by Windows from doing so:

SRP.blockage

The malware must itself be executing in a privileged context in order to create these registry keys, and it must execute in spite of the presence of the security software it is attempting to block. Potentially, updates to the security software could find the malware, but not if the malware has been blocked in this way.

Ironically, the Microsoft TechNet article introducing SRP on new years day 2002 describes how it can be used to “fight viruses.” The other purposes described in the article are:

  • Regulate which ActiveX controls can be downloaded
  • Run only digitally signed scripts
  • Enforce that only approved software is installed on system computers
  • Lockdown a machine

Trend Micro lists 53 products and companies for which the malware looks on the infected system. If it finds any, it creates an SRP for that program.

Source: Associated Press

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: