Researchers from Trend Micro discovered BKDR_VAWTRAK a banker malware. That particular malicious program uses the restrictions policies of Windows (Software Restriction Policies or SRP) to limit the privileges of security software, including Trend Micro.
SRP is a feature added to Windows XP operating systems and Windows Server 2003 and managed through Group Policy. It is designed to allow administrators to blacklist or whitelist specific executables, or restrict non-privileged users.
Of course this is not the first time that SRP is used by malicious software.
SRP can also be used for Local Policy Editor in any version of Windows:
Now that these policies are translated into registry keys in the systems used, it is possible to create registry keys directly, which, as Trend Micro reports, makes malware. In the example above, you can see the registry keys that were created in HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ safer \ codeidentifiers.
When the user tries to run the executable file, it is blocked by Windows:
This way the malware takes control of the computer as it only executes the files it wants. Potentially, an updated one security software it could find the malware, but the malware has blocked it.
Ironically, Microsoft's article on TechNet states in the description of the SRP on the day of its release (in 2002) how it can be used to "fight viruses." Microsoft for ever!
I do not see the irony.