Software Restriction Policy to keep malware away

Published: 2010-06-07
Last Updated: 2010-06-07 16:17:25 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
1 comment(s)

Windows is an operating system that has controls that preserve the safety of equipment. These security policies are configured using Global Policy Objects that apply to all computers in the domain. There is a specific group of these directives called Software Restriction Policies, which have the ability to restrict the type of software running on computers. It is a cheap and quick way to set restrictions on the ability of users to execute programs.

We have received a report of a piece of malware that poses as a flash postcard downloaded from the Tarjetasnico website (http://tarjetasnico.com). This malware is responsible for disabling any existing restrictions on the computer configured inside the Software Restriction Policy and also downloads the real malware from a website in Germany.

The initial program is run and sets up the following registry key:

Registry Path Key Value
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers DefaultLevel 262144

The number 262144 indicates a SAFER_LEVELID_FULLYTRUSTED level, which means that all execution policy are Unrestricted, so that any program can be run no matter of what restrictions are in place.

Please enforce the permissions to this registry key and its value of 0 on computers of your company so it cannot be modified by users and restriction policies remain active.

-- Manuel Humberto Santander Peláez  |  http://twitter.com/manuelsantander  |  http://manuel.santander.name | msantand at isc dot sans dot org

1 comment(s)

Comments

Writing to this section of the registry would require administrator or system rights. The first step in SRP guidance is to remove administrator rights so malware (or the user) can't simply drop itself into an allowed location or edit the registry.

Diary Archives