Skip to main content

Windows used by malware to carry out banking attacks

Windows has become a weapon for cyber attackers looking to empty bank accounts in order to bypass anti-malware programs.

Related: Microsoft extends Windows XP anti-malware signature support into 2015

Trend Micro found that the BKDR_VAWTRAK malware is using the Windows Software Restriction Policies [SRP] feature to prevent infected machines from detecting the malware family.

So far it has been used to attack a host of Japanese banking customers and steal sensitive information by using its combination of backdoor and infostealer behaviours to steal banking details.

The malware, which has actually managed to downgrade a total of 53 different anti-virus programs from the likes of Microsoft, Symantec, and Intel, works by attempting to downgrade the privileges of security software so they are, in effect, turned off.

Windows’s SRP feature, which was first introduced in Windows XP and Server 2003, is described by Trend Micro as a “very early form of whitelisting or blacklisting” and is intended to carry out a variety of different tasks. This includes fighting viruses, regulating which ActiveX controls can be downloaded, running only digitally signed scripts, making sure that only approved software is installed on computers, and locking down a machine.

Applications that are blacklisted or whitelisted by SRP can be identified in a range of different ways such as their cryptographic hash, digital signature, download source or their path within the system, the last of which is being used by BKDR_VAWTRAK to block access to security software.

Related: Windows XP: There’s life in the old dog yet

Trend Micro added that this isn’t the first time the above method had been used by a malware program but it is the prominence of the VAWTRAK attacks in Japan that make it all the more worrying.