TrickBot can disable Windows Defender

According to Bleeping Computer, a new version of the TrickBot banking trojan continues its evolution of targeting security software. TrickBot has now set its sights on Microsoft’s Windows Defender, an anti-malware component of Windows 10. Besides targeting a wide array of international banks, TrickBot can harvest emails, credentials and steal from cryptocurrency wallets.

Compared to today’s anti-virus solutions Promon SHIELD™ for Windows has some clear advantages:

  • 100 % proactive technology, protects against both known and unknown malware without using any pre-known information
  • Provides end-to-end security control for service providers
  • Transparent for the end-user, who does not have to take any action whatsoever.

An evolving threat

First discovered in 2016, TrickBot is a trojan which targets the customers of major banks. The malware has continually undergone updates in attempts to stay ahead of defenders, and the most recent variant is targeting users who rely upon Windows Defender.

In recent years, we’ve seen the malware evolve and add new capabilities. The most recent version, however, not only targets and evades – but also actually disables Windows Defender security protection.

Bleeping Computer reveals that researchers MalwareHunterTeam and Vitali Kremez reverse-engineered the malware and found it had added a further dozen methods to the attack arsenal. «These methods utilize either Registry settings or the Set-MpPreference PowerShell command to set Windows Defender preferences», Bleeping Computer reports.

The disabling process

When TrickBot is executed, it starts a loader that gets the system ready by disabling Windows services associated with security software and performing elevation to gain higher system privileges. When completed, it loads the «core» component by injecting a DLL that downloads modules used to steal information.

Prior to the most recent version, the TrickBot loader would only perform a basic targeting of Windows Defender such as disabling the WinDefend service, terminating processes associated with Windows Defender, and disabling real-time protection and security notifications.

The developers of the TrickBot trojan have now added more steps in their attempt to prevent Windows Defender from protecting users from this threat.

Protecting your high-value Windows applications

Promon SHIELD™ for Windows can be integrated with applications and services that typically deal with sensitive information. Through blocking unwanted interaction with programs initiated by possible malware residing on the device, a secure session is created.

Through so-called whitelisting, the application is protected against access from all other programs on the system and is only allowed to communicate with specific and approved programs. Attacks from new and unknown trojans are thus actively blocked.

Here the Promon solution differs from conventional anti-virus and firewall vendors, which need to update their blacklists of known malware in order to retroactively identify the malware. With this approach, each new malware has to do some damage before the anti-virus software or firewall can provide protection. Thus, with anti-virus and firewall vendors each new threat requires a new security update which can result in considerable delays.

With Promon SHIELD™ however, your application is protected at all time – without the end-user being involved.