Researchers from Trend Micro discovered BKDR_VAWTRAK a banker malware. This malicious program uses the Windows Restriction Policies (SRP) policies to restrict the privileges of security software, including its security Trend Micro.
Το SRP είναι ένα χαρακτηριστικό που προστέθηκε στα λειτουργικά Windows XP και Windows Server 2003 και διαχειρίζεται μέσω του Group Policy. Έχει σχεδιαστεί για να επιτρέπει στους διαχειριστές να περνάνε στη μαύρη λίστα ή στη λευκή λίστα ειδικά εκτελέσιμα προγράμματα, ή να περιορίζουν τους μη προνομιούχους users.
Of course this is not the first time that SRP is used by malicious software.
SRP can also be used for Local Policy Editor in any version of Windows:
Given that these policies now translate into registry keys (registry keys) on the systems in use, it is possible to create registry keys directly, which Trend Micro reports the malware does. The above example shows the registry keys created in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers.
When the user tries to run the executable archive, is blocked by Windows:
This way the malware takes control of the computer as it only executes the files it wants. Possibly an updated software security it could find the malware, but the malware has blocked it.
Ironically, Microsoft's article on TechNet states in the description of the SRP on the day of its release (in 2002) how it can be used to "fight viruses." Microsoft for ever!
I do not see the irony.