Novter Trojan Sets its Sights on Microsoft Windows Defender

[SwissMiss]

Novter Trojan Sets its Sights on Microsoft Windows Defender

 

The Novter Trojan, also known as Nodersok or Divergent, is the latest Trojan to actively target Microsoft's Windows Defender by attempting to disable it.

 

Last week, three reports came out about a new fileless Trojan that installs Node.JS onto a victim's machines and configures it as a proxy server for click-fraud and other malicious activity. This Trojan is named by Microsoft as Nodersok, Divergent by Cisco Talos, and Novter by Trend Micro.

 

With Windows Defender maturing into a full-fledge AV solution and becoming tightly integrated into the Windows operating system, recent Trojans have been making an effort to disable its real-time protection and other features. This will allow Trojans to download further malware without risk of Defender detecting them or for future definition updates from detecting existing malware.

 

As previously explained by all three companies, when installed Novter will execute a PowerShell script that disables Windows Defender and modifies Windows Update settings. This is becoming more common as we have seen TrickBot and Gootkit disable Windows Defender in recent variants.

 

According to security researcher Vitali Kremez, who also reverse engineered Novter, the malware will add a variety of Windows policies that disable various functionality in Windows Defender.

 

Novter disabling Windows Defender

 

The policies that are created are as follows:

// Disables Windows Defender. 3rd Party security software could be affected
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ "DisableAntiSpyware" = 1

// Prevents Windows Defender from automatically removing detected items
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ "DisableRoutinelyTakingAction" = 1

// Disables Windows Defender real-time protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\ "DisableRealtimeMonitoring" = 1

// Enable Automatic Updates. 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ "NoAutoUpdate" = 0

// 2 = Notify before download. In other words, don't automatically download and install
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU\ "AUOptions" = 2

// ScheduledInstallDay, 0 = Every day
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU\ "ScheduledInstallDay" = 0

// ScheduledInstallTime, 03:00
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU\ "ScheduledInstallTime" = 3

// Disable peer-to-peer windows updates 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization "DODownloadMode" = 0

Once these policies are created, Windows Defender will be disabled on the machine and new Windows updates will not be installed automatically.

 

This leaves the computer open to vulnerabilities and lack of real-time protection if they are not using a third-party security product.

 

As Windows Defender continues to grow into a product that stands on its own merits, we will see more malware continue utilize similar techniques to bypass security such as Windows Defender.

 

This leaves the computer open to vulnerabilities and lack of real-time protection if they are not using a third-party security product.

 

As Windows Defender continues to grow into a product that stands on its own merits, we will see more malware continue utilize similar techniques to bypass security such as Windows Defender.

 

 

Source: Novter Trojan Sets its Sights on Microsoft Windows Defender

[Ha91]

Need help understand coding again. Anyone know what to do with dementia increasing and what brain exercises? what to do? @swissmiss @karlston @mach1 @steve36

brain slowing as much as my internet these days