BKDR_VAWTRAK is using Software Restriction Policies to restrict security software.

A trojan that's currently doing the rounds in Japan is using Windows itself to try to defeat security software on infected machines.

Trend Micro reports that the BKDR_VAWTRAK malware, which steals credentials used for online banking at some Japanese banks, is using a Windows feature called Software Restriction Policies (SRP) to prevent infected systems from running a wide range of security programs, including anti-virus software from Microsoft, Symantec, and Intel. A total of 53 different programs are blocked by the malware.

SRP is intended to give corporate administrators greater control over the software that systems can run. Normally configured through Group Policies, administrators can both whitelist and blacklist applications. Applications can be identified in several ways; by their cryptographic hash, digital signature, their download source, or simply their path on the system.

BKDR_VAWTRAK is using this last method, the path, to block access to security software.

The result is ironic. SRPs are intended to enhance system security by preventing the use of undesirable software. Here, they're being used to reduce system security by preventing the use of desirable software.

While Trend Micro says this isn't the first malware to use this technique to prevent detection and removal, it's significant because BKDR_VAWTRAK has become widespread in Japan.

Hmmmmm not news, but interesting. More Citadel junk I suppose!