Malware uses SRP to disable Antivirus

Discussion in 'malware problems & news' started by Minimalist, Jun 12, 2014.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    http://blog.trendmicro.com/trendlab...rity-feature-abused-blocks-security-software/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    That´s why every HIPS should have a registry monitor, with this you can stop it quite easily. :)
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This begs the question of why the Software Restriction Policy allows this code to run in the first place.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    I guess that SRP is not enabled before infection happens. Malware then enables SRP and blacklists AV's executable files...
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That could be the case. Even so, it seems that either this malware has no trouble gaining root access or that the SRP portion of the registry doesn't require root or admin access to edit. Either way, it doesn't say much for Windows built in defenses.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    I doubt that it can get administrator rights if user is using SUA or if UAC is turned on. Most people like to run as Administrator without prompts so they disable Windows built-in defenses. Malware creators know that and create malware that needs and usually gets Administrator rights. IMO main problem is user and not OS.
     
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Bypassing SRP doesn't require root access, unfortunately.

    SRP is strictly userspace - my understanding is that it's a bit like using a preloaded library on Linux to substitute no-op functions for the exec family. If the malware does not know about it, it might work. If OTOH the malware is designed to bypass it, it will be of no help at all.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Yes but as I understand this article is not about bypassing SRP. It's about using SRP to disable AV. The question remains if this can be accomplished by malware if basic OS defenses (SUA, UAC) are used and turned on.
    I guess that a lot of malware doesn't take SRP into account as it is not used massively.
     
  9. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    882
    Location:
    Triassic
    WinPatrol has a registry monitor. There is stuff already there that WinPatrol has entered, however I have never placed anything there myself. A list of suggestions appears on their webpage but most are already setup by default.

    What Hkey needs to be placed there to monitor the threat noted in this thread (is it the one at the bottom of the link)? It looks to me as a bit generic.
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Rules for SRP are located in registry in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes exactly, problem solved. :)
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    It's a protected registry root key, so unless the malware launches with administrative privileges, it can't modify that location. The article, at least in part, is just another antivirus company trying to endorse its product.

     
  13. WeAreAllHacked

    WeAreAllHacked Registered Member

    Joined:
    May 22, 2014
    Posts:
    28
    Its a good idea to use windows own functionality and other trusted tools to add holes to a system and weaken it. Once done, almost no security software will check for it or warn about it so its unlikely a user will detect it. Most software will let through RAT's as long as its "commercial" instead of "underground hacker made". The tools does the same things but one is allowed to monitor, hide itself and send your files away while one isn't.

    I think we will see more of these sort of stuff in the future. And people should already be monitoring windows own settings more closely (its possible they or other trusted files are used against you and no third party hacking tool is needed to be active to get your files).
     
  14. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Or unless it gains admin privileges somehow.

    (On Windows Vista and later, that is hard. On Windows XP and 2003, it is quite easy if you can run a payload undetected.)

    Edit: Also I'm not sure about earlier versions, but Windows 7 has SRP related stuff under HKEY_CURRENT_USER as well. It might be possible to apply a limited SRP setup for one account that way. I would bet there is ransomware that does that...
     
    Last edited: Jun 16, 2014
  15. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
Loading...