25 August 2015

Actually, I am preparing a post about information disclosure caused by e.g. unhandled exceptions in web applications (CWE-391). During security assessments in the past weeks I found all kind of error messages, from no error message to detailed output of the program stack and all configuration variables. A nightmare!

But when I read about the capabilities of the Vawtrak malware in Nick Lewis post “Can Vawtrak malware block enterprise security software?” I changed my mind. A malware that uses Windows Software Restriction Policies (SRP) to prevent anti-malware software from running sounds really strange, and really interesting. In his fascinating white paper “Analysis of Banking Trojan Vawtrak” Jakub Křoustek from AVG’s virus lab analyzes the program in detail.

By the way, for adding a SRP to  the Windows operating system administrative privileges are required. If users work with limited privileges and if user account control set to the highest level “Always notify me” Vawtrak has a hard job to infect the computer and stop the anti-malware software.

It’s always the same old story: We get into considerable trouble because we haven’t got the basics right.

Take care!