Q
Get started Bring yourself up to speed with our introductory content.

Can Vawtrak malware block enterprise security software?

Emerging malware, like the Vawtrak banking malware, has the ability to block enterprise antimalware measures. Expert Nick Lewis explains how to mitigate the risk.

I read about a form of malware that is using Windows' own software to block enterprise security software from doing...

its job. Can you explain how this malware works? What other measures should be put in place if the ones we have can be blocked?

Senior Threat Research Engineer Marilyn Melliang of Trend Micro Inc. wrote a blog post about the malware and its use of Windows software restriction policies (SRP).

This malware, dubbed Vawtrak, is modular malware capable of disabling any antimalware software by using SRP, which minimizes the chances of it being detected and removed.

While this technique is not as common as trying to kill the processes related to antimalware tools that allow them to run effectively, it is potentially more effective. Antimalware tools have built-in defenses to prevent an attacker from just killing application processes, deleting files or uninstalling software. While using SRP to disable antimalware is difficult -- it would require correctly configuring the policy to block any potential antimalware tool -- Vawtrak uses an initial downloader to get onto the system and execute the malicious code to infect it.

Vawtrak uses Windows SRP to try to disable 53 different antimalware tools. By putting the path to the executable files used by the antimalware tools into a SRP list, Vawtrak prevents them from running on the system, and therefore disables the antimalware tool.

Generally, traditional endpoint antimalware troubleshooting doesn't look into the SRP configuration. However, starting a system from safe mode or connecting the infected hard drive to a known secure system with updated antimalware definitions could potentially remove the malware.

Enterprises can use the same steps that protect endpoints from malware to protect against Vawtrak, but should verify that the tools can detect it and other malware that is attempting to make changes to SRP or other whitelisting tools. Host-based intrusion detection tools that monitor for host-based changes could also detect the changes from Vawtrak.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)

Next Steps

Learn more about advanced malware detection

Get help assessing antimalware protection

This was last published in February 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Good article! But the obvious next question is: "which endpoint security suites can detect if their functionality is blocked by SRP policy changes"?
Cancel
I just followed the article's link to "Using SRP" and found a very enlightening, and very short, video tutorial on how to use Software Restriction Policies to allow or deny software package installs in a Windows Domain environment. Naturally hackers would get around to using group policy hacking as a way to enable APT's to install & run forever, undetected by security suites and other antimalware apps. Once you understand how Windows works, you can spot many of your potential vulnerabilities the way the bad guys do - just look for the cloaking devices.
Cancel
When I was younger, a famous phrase stated; as birds have learnt to fly without perching, so hunters have learnt to shoot without missing. Malware has become very sophisticated actually using the computer software against itself. As sad as it is, I think the technique utilized by the malware is ingenious and the creators should be applauded for such creativity. It’s about time that Microsoft really gets a run for their money.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close