UAC is going to be useless unless ...

[3GUSER]

UAC is going to be useless unless you really know what you are doing

Back in the early years when Vista appeared I have seen malware than is useless thanks to user account control . Even if it is installs as admin , after restart the sample wants admin rights but is blocked from UAC/Defender as start-ups with admin rights are not allowed
-http://i.techrepublic.com.com/gallery/186930-469-132.png-
http://support.microsoft.com/kb/930367

Now malware started to act different . Not long ago I noticed my first sample that disables UAC (on Windows 7) and upon restart the threat will be able to gain maximum privilages.

Just I came accross two more samples that also disable UAC if I start them as admin. I am not sure if there is a workaround . Any ideas ?

[dw426]

This may sound like I'm being a smartass, but, scan your downloads first? I know, "but what if they don't detect it?", you have a good point. But, the chances of a very good AV, along with one or two on-demand scans with others, missing something are low. To get away from that since I know that kind of statement will just bring arguments I don't wish to start, if it doesn't need a reboot, you can always install a new piece of software in Sandboxie or Returnil to see what it does first.

Were these security programs that were infected with these samples, or were they "stand alone" malware samples you were just testing?

[3GUSER]

The newest I got were both rogue programs using MSI to install doing silent install . At the end of installation Windows Action Center reminds you that computer needs restart for the changes of UAC to take effect.

And when the antivirus/antimalware security has been bypassed , after restart it is malware fun

I was talking about some protection of UAC settings . I was thinking what if I lock the permission in Registry of my user (for example) to change UAC settings ?

[dw426]

Hang on, let me make sure I'm reading you right. The malware throws up an Action Center message saying UAC is about to be changed? If that is the case, that should be a big, bright red warning flag to anyone that understands that UAC doesn't need to be changed for any reasonable program. I'm aware some such programs exist, I've ran across them, but I've never let them install when they wanted to do that. They immediately got kicked out the door.

Off topic, and this may not even be the same thing you're talking about, but I hate MSI files. Programs that are installed like that never seem to want to uninstall correctly. I'm sure that's simply my experience with them, but it sure seems that way. On-topic, there may exist a way to lock UAC from being changed, I simply don't know. It's worth looking into.

[brosephjames]

You said you purposely let the malware run with admin privileges? So presumably you clicked yes on the UAC prompt when you let them execute?

All the security techniques like UAC, LUA, SRP, etc are designed to prevent malware from running as admin or running at all. They can't really help you once the malware gains admin privileges.

If software has admin access it can do whatever it wants, including disabling UAC and SRP etc.

[3GUSER]

Quote:

Originally Posted by brosephjames

You said you purposely let the malware run with admin privileges? So presumably you clicked yes on the UAC prompt when you let them execute?

Yes , for the testing purpose , yes . The average Joe would do the same

Quote:

If software has admin access it can do whatever it wants, including disabling UAC and SRP etc.

I know but I think some settings should be further protected.

I am gonna try tomorrow if I can protect the permissions of these keys

The point of this thread is to point how malware has obviously developed (since first Vista UAC appearance) and to hear any ideas of protecting UAC itself .

[dw426]

Quote:

Originally Posted by brosephjames

You said you purposely let the malware run with admin privileges? So presumably you clicked yes on the UAC prompt when you let them execute?

All the security techniques like UAC, LUA, SRP, etc are designed to prevent malware from running as admin or running at all. They can't really help you once the malware gains admin privileges.

If software has admin access it can do whatever it wants, including disabling UAC and SRP etc.

The issue is, and this may show my lack of knowledge here, but it's worth it if I've been wrong, if UAC is at max level, EVERY program you install will result in a UAC prompt. Most of the time, all you get is "This program wants to make changes to your computer". That's not the biggest help in the world.

[3GUSER]

Quote:

Originally Posted by dw426

Hang on, let me make sure I'm reading you right. The malware throws up an Action Center message saying UAC is about to be changed?

Of course not . As soon as the malware sample starts it changes the UAC registry settings to disable UAC . Second or two after that Action center presents you with a prompt to restart the computer for the changes to take effect. You restart and the malware is free to do anything

[dw426]

Quote:

Originally Posted by 3GUSER

Of course not . As soon as the malware sample starts it changes the UAC registry settings to disable UAC . Second or two after that Action center presents you with a prompt to restart the computer for the changes to take effect. You restart and the malware is free to do anything

Ahh okay, read you loud and clear.

[MrBrian]

If you let malware have admin privileges, you've "lost."

[chronomatic]

This thread has FAIL written all over it.

[Martijn2]

Quote:

Yes , for the testing purpose , yes . The average Joe would do the same

That's just plain stupid. Not to be personal, but you are a MCP, so you should know that the moment you give malware admin access your computer is already lost. What's the problem if it disables UAC while it already can do everything else. Even if it couldn't disable UAC, it can already do a lot of damage (keylogging, etc)

[trismegistos]

Quote:

Originally Posted by MrBrian

If you let malware have admin privileges, you've "lost."

All is not yet lost with a knowledgeable user having a layered security defences: HIPS(to prevent loading of drivers andr lowlevel disk access), firewall(prevention of phoning home), and lite virtualizer(as system-wide sandbox). Putting an application Sandbox to the mix, and you have a security over-kill.

Edit:
Oopsy! Yes, I agree with that statement. I failed to qualify "Admin privileges". What I thought initially was if malware was executed in an admin account. So obviously if malware will be given admin privileges, he blatantly allowed huge gaping holes or security bypasses which in this case, allow low-level writes to MBR, loading of drivers, etc. What is nice in having a layered security defences even if admin, you'll know beforehand what a malware if executed can do and help you prevent major security blunders.

But then again, all is not lost, if you have offline image back ups, one's ultimate security.

[Konata Izumi]

UAC with SRP is awesome... IMO