This begs the question of why the Software Restriction Policy allows this code to run in the first place.
I guess that SRP is not enabled before infection happens. Malware then enables SRP and blacklists AV's executable files...
That could be the case. Even so, it seems that either this malware has no trouble gaining root access or that the SRP portion of the registry doesn't require root or admin access to edit. Either way, it doesn't say much for Windows built in defenses.
I doubt that it can get administrator rights if user is using SUA or if UAC is turned on. Most people like to run as Administrator without prompts so they disable Windows built-in defenses. Malware creators know that and create malware that needs and usually gets Administrator rights. IMO main problem is user and not OS.
Bypassing SRP doesn't require root access, unfortunately. SRP is strictly userspace - my understanding is that it's a bit like using a preloaded library on Linux to substitute no-op functions for the exec family. If the malware does not know about it, it might work. If OTOH the malware is designed to bypass it, it will be of no help at all.
Yes but as I understand this article is not about bypassing SRP. It's about using SRP to disable AV. The question remains if this can be accomplished by malware if basic OS defenses (SUA, UAC) are used and turned on. I guess that a lot of malware doesn't take SRP into account as it is not used massively.
WinPatrol has a registry monitor. There is stuff already there that WinPatrol has entered, however I have never placed anything there myself. A list of suggestions appears on their webpage but most are already setup by default. What Hkey needs to be placed there to monitor the threat noted in this thread (is it the one at the bottom of the link)? It looks to me as a bit generic.
Rules for SRP are located in registry in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers.
It's a protected registry root key, so unless the malware launches with administrative privileges, it can't modify that location. The article, at least in part, is just another antivirus company trying to endorse its product.
Its a good idea to use windows own functionality and other trusted tools to add holes to a system and weaken it. Once done, almost no security software will check for it or warn about it so its unlikely a user will detect it. Most software will let through RAT's as long as its "commercial" instead of "underground hacker made". The tools does the same things but one is allowed to monitor, hide itself and send your files away while one isn't. I think we will see more of these sort of stuff in the future. And people should already be monitoring windows own settings more closely (its possible they or other trusted files are used against you and no third party hacking tool is needed to be active to get your files).
Or unless it gains admin privileges somehow. (On Windows Vista and later, that is hard. On Windows XP and 2003, it is quite easy if you can run a payload undetected.) Edit: Also I'm not sure about earlier versions, but Windows 7 has SRP related stuff under HKEY_CURRENT_USER as well. It might be possible to apply a limited SRP setup for one account that way. I would bet there is ransomware that does that...
