Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Marilyn Melliang (Senior Threat Research Engineer)

    We recently discussed the latest attacks affecting users in Japan that were the works of the BKDR_VAWTRAK malware. This malware family combines backdoor and infostealer behaviors and had just added the banking credentials theft to its repertoire.

    It was also mentioned that this malware tries to downgrade the privileges of security software, including Trend Micro products. In this post, we will add more details on how VAWTRAK performs this routine, as well as provide information on potential countermeasures.

    How Software Restriction Policies Are Abused

    The particular feature used by VAWTRAK to disable security software is known as Software Restriction Policies. It was first introduced in Windows® XP and Server 2003. It can be thought of as a very early form of whitelisting or blacklisting feature. Microsoft’s own documentation states that this feature was intended to perform the following:

    1. Fight viruses
    2. Regulate which ActiveX controls can be downloaded
    3. Run only digitally signed scripts
    4. Enforce that only approved software is installed on system computers
    5. Lock down a machine

    There are several methods that can be used to identify which files are blocked from running on a system. In the case of VAWTRAK, it uses the path where the applications are installed to determine if they should be blocked or not. It looks for the following directories under the %Program Files% and %All Users Profile%\Application folder, which are used by various security products:

    • a-squared Anti-Malware
    • a-squared HiJackFree
    • Agnitum
    • Alwil Software
    • AnVir Task Manager
    • ArcaBit
    • AVAST Software
    • AVG
    • avg8
    • Avira GmbH
    • Avira
    • BitDefender
    • BlockPost
    • Common Files\Doctor Web
    • Common Files\G DATA
    • Common Files\P Tools
    • Common Files\Symantec Shared
    • DefenseWall
    • DefenseWall HIPS
    • Doctor Web
    • DrWeb
    • ESET
    • f-secure
    • F-Secure\F-Secure Internet Security
    • FRISK Software
    • G DATA
    • K7 Computing
    • Kaspersky Lab Setup Files
    • Kaspersky Lab
    • Lavasoft
    • Malwarebytes
    • Malwarebytes’ Anti-Malware
    • McAfee
    • Microsoft Security Client
    • Microsoft Security Essentials
    • Microsoft\Microsoft Antimalware
    • Norton AntiVirus
    • Online Solutions
    • P Tools Internet Security
    • P Tools
    • Panda Security
    • Positive Technologies
    • Sandboxie
    • Security Task Manager
    • Spyware Terminator
    • Sunbelt Software
    • Symantec
    • Trend Micro
    • UAenter
    • Vba32
    • Xore
    • Zillya Antivirus

    If it finds that any of the above directories are present, it adds the following registry entries to force applications in that directory to run with restricted privileges:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{generated GUID for the AV software} ItemData = “{AV software path}” SaferFlags = “0”

    As a result, any file under the said directory would not run, returning the following error message:

    Figure 1. Error message

    This is not the only time we have seen this tactic used, but the prominence of recent VAWTRAK attacks means there are more users affected by it than normal.

    To protect our users, we not only detect and remove BKDR_VAWTRAK malware, but we also specifically detect this particular behavior to ensure that Trend Micro products are able to run and provide the necessary protection as needed. We encourage users to download and use the latest available pattern files to ensure they have the most up-to-date protection available.

    Special mention to Rhena Inocencio for the malware analysis and Roddell Santos and Dexter To for the validation of this security feature.


    In 2013, the malware UPATRE was noted as one of the top malware seen attached to spammed messages. The malware was also notorious for downloading other malware, including ZeuS and ransomware, particularly its more sophisticated form, Cryptolocker. This was enough reason to believe that the UPATRE threat is constantly advancing its techniques–this time, by using multiple levels of attachments.

    Spam within spam

    We took note of the new UPATRE malware technique when our research brought us to a spammed message that imitates emails from known banks such as Lloyds Bank and Wells Fargo. The “spam within spam” technique was already notable in itself, as the .MSG file contained another .MSG file attached–only this time, the attached file actually contains the UPATRE variant, which we detect as TROJ_UPATRE.YYKE.

    Figure 1. An email from “Lloyds Bank” contains a .MSG attachment

    Figure 2. Opening the .MSG attachment reveals a malicious .ZIP file

    Based on our analysis, TROJ_UPATRE.YYKE downloads its ZBOT tandem, detected as TSPY_ZBOT.YYKE. This ZBOT variant then drops a NECURS variant detected as RTKT_NECURS.RBC.

    The NECURS malware is notable for its final payload of disabling computers’ security features, putting computers at serious risk for further infections. It gained notoriety in 2012 for its kernel-level rootkit and backdoor capabilities. It is important to note that we are now seeing an increase of this malware, which can be attributed to UPATRE/ZBOT being distributed as attachments to spammed messages.

    Evolution of UPATRE

    UPATRE was first seen arriving as an archived file attachment of spammed messages in October of last year, after the fall of the Blackhole Exploit Kit. Once opened, it triggers an infection chain involving ZBOT and CRILOCK malware.

    A month after that, cybercriminals soon upped the ante by using password-protected archives as email attachments. The email includes the password as well as instructions on how to use the contents of the attachment. The use of passwords is highly notable as it adds a sense of legitimacy and importance to the message.

    UPATRE’s evolution is proof that threats will find new ways and techniques to get past security solutions. Users should always be on their guard when dealing with unknown or unfamiliar emails, sites, or files. These could very well lead to threats. Practicing safety habits like using a security solution or double-checking links and attachments can help users protect their computers and their data from threats.

    Special mention to Chloe Ordonia for finding this new spam technique, and to Jaime Reyes for analyzing this malware.

    Posted in Malware, Spam | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice