Security researchers analyzing the BKDR_VAWTRAK malware, which touts backdoor and data pilfering functionalities and has been targeting the banking credentials of numerous targets in Japan, is also capable of downgrading the privileges of security software in order to circumvent protections.
“The particular feature used by VAWTRAK to disable security software is known as Software Restriction Policies. It was first introduced in Windows® XP and Server 2003. It can be thought of as a very early form of whitelisting or blacklisting feature,” the researchers reported.
“In the case of VAWTRAK, it uses the path where the applications are installed to determine if they should be blocked or not. It looks for… directories under the %Program Files% and %All Users Profile%\Application folder, which are used by various security products.”
If the malware finds that any of the directories the researchers identified are present, it proceed to add a registry entry that can force any applications within that directory to be executed with restricted privileges, and infected users may be presented with a Windows error message that says the application can not be ran due to a software restriction policy.
“This is not the only time we have seen this tactic used, but the prominence of recent VAWTRAK attacks means there are more users affected by it than normal.”
Read More Here…