Prevent kernel rootkit installation under user mode?

[R2D2]

Can you prevent a kernel mode rootkit from installation if you run your PC in user mode instead of admin. mode? Just create another user account under the administrator to use for yourself. Of course running in user mode has limitations, but when needed, just switch back to the admin. mode. I guess that only a user mode rootkit can install itself in this mode, but not sure.

Jeff

The battle continues...

[tlu]

Quote:

Originally Posted by R2D2

Can you prevent a kernel mode rootkit from installation if you run your PC in user mode instead of admin. mode? Just create another user account under the administrator to use for yourself. Of course running in user mode has limitations, but when needed, just switch back to the admin. mode. I guess that only a user mode rootkit can install itself in this mode, but not sure.

There is no user mode rootkit - admin rights are definitely necessary. There are many other advantages of running as a user with limited rights, e.g. no write access to large parts of the registry, no write access to the system folder etc. I strongly recommend to have a look at http://blogs.msdn.com/aaron_margosis...ory/10085.aspx , especially at http://blogs.msdn.com/aaron_margosis...17/157962.aspx .

[R2D2]

Hi Thomas,

Those links you provided are useful and interesting info I needed. Thanks!
I do agree using admin. rights is necessary, but I wouldn't mind switching modes when needed as another security measure. (Just use the internet in user mode to decrease chances of malware infection on your system.)

User mode rootkit is explained in an article from viruslist.com at: http://www.viruslist.com/en/analysis?pubid=168740859
I recommend it. It's a good read on this malicious subject by Kaspersky Lab.
It's explained under the "Windows rootkits" masking methods section.

According to this article, a user mode rootkit is easier to detect such as with RootKit Revealer and many other progs it refers to for detection. Since the kernel type is more difficult to detect and get rid of, I'd use the limited user mode instead, even while browsing the net to hopefully avoid its infection.

Jeff

[tlu]

Quote:

Originally Posted by R2D2

User mode rootkit is explained in an article from viruslist.com at: http://www.viruslist.com/en/analysis?pubid=168740859
I recommend it. It's a good read on this malicious subject by Kaspersky Lab.
It's explained under the "Windows rootkits" masking methods section.

According to this article, a user mode rootkit is easier to detect such as with RootKit Revealer and many other progs it refers to for detection. Since the kernel type is more difficult to detect and get rid of, I'd use the limited user mode instead, even while browsing the net to hopefully avoid its infection.

Jeff

Jeff, I remember now that I read this article some time ago. But I think the term "user-mode" is misleading. Although not explicitly stated in that article, I'm sure that for installing this kind of rootkits admin rights are likewise needed. I guess the name was chosen to differentiate them from the kernel-type rootkits.

Quote:

Originally Posted by tlu

Jeff, I remember now that I read this article some time ago. But I think the term "user-mode" is misleading. Although not explicitly stated in that article, I'm sure that for installing this kind of rootkits admin rights are likewise needed. I guess the name was chosen to differentiate them from the kernel-type rootkits.

Sorry, tlu but you are wrong about needing admin rights needed to install all rootkits.

Here's what Mark Russsinovch says

Quote:

But even if the virus is activated from a non-administrator account it can install a less powerful, though still effective, user-mode rootkit.

You can find lots of other people saying the same thing.

Running without admin rights is a powerful defense, but at the same time you must understand what exactly it does do and what it doesn't. It's interesting to see that even a limited account is not that limited.

Though of course most malware these days are built on the assumption you have admin rights.

[Mrkvonic]

Hi,
Running limited account is a pain. Your windows will barely function. If you limit yourself to jsut browsing and email, then you're ok, but a large number of applications, to say nothing of games, will not run well under limited account. In this case, functionality outweighs security. A better solution would be sandboxing or running specific applications with limited privileges.
Mrk

[lotuseclat79]

Quote:

Originally Posted by Mrkvonic

Hi,
Running limited account is a pain. Your windows will barely function. If you limit yourself to jsut browsing and email, then you're ok, but a large number of applications, to say nothing of games, will not run well under limited account. In this case, functionality outweighs security. A better solution would be sandboxing or running specific applications with limited privileges.
Mrk

Hi Mrk,

Yes, running limited is a pain, and sandboxing is a better solution, but at the very least as you mention, the specific applications with limited priviledges should be the Internet facing applications like the browser and email apps.

So, running a browser with DropMyRights.msi and SetSafer.msi from Microsoft makes a lot of common sense if one absolutely, positively actually "needs" to be running from an account with Administrator rights - although ill-advised!

-- Tom

[tlu]

Quote:

Originally Posted by rootkitman

Sorry, tlu but you are wrong about needing admin rights needed to install all rootkits.

Here's what Mark Russsinovch says ...

Thanks for this interesting info, rootkitman. Could you provide a link, please?

Quote:

Though of course most malware these days are built on the assumption you have admin rights.

Indeed, that's why a limited user account makes definitely sense.

[tlu]

Quote:

Originally Posted by lotuseclat79

Hi Mrk,

Yes, running limited is a pain, and sandboxing is a better solution, but at the very least as you mention, the specific applications with limited priviledges should be the Internet facing applications like the browser and email apps.

So, running a browser with DropMyRights.msi and SetSafer.msi from Microsoft makes a lot of common sense if one absolutely, positively actually "needs" to be running from an account with Administrator rights - although ill-advised!

-- Tom

I strongly disagree - see here and the following postings in that thread.

Running limited is a pain? Says one who has probably never seriously tried ... I've been doing it for many years, and the most applications don't cause any problems. And even my children use a limited account on their computer. But you don't carry it off? Well, you will have problems if you're a guy who's tinkering with system settings and editing the registry every day. If that's your hobby, I agree that you should work solely under an admin account - all malware programmers will appreciate it ...

Quote:

Originally Posted by tlu

Thanks for this interesting info, rootkitman. Could you provide a link, please?

This is really basic stuff and you could have easily googled it anyway, but okay

http://www.sysinternals.com/blog/200...t-for-now.html

If you don't believe Mark, see also the comments by Kevin McAleevey of Boclean

Quote:

Originally Posted by Kevin McAleavey

As far as "rootkits" go, any vendor that claims to "proactively protect against all rootkits" is a liar. "Rootkits" can be installed from a limited account in ring 3 and just as easily,

I fully agree though that limited user accounts give you substantial protection, but it's not unbreakable. It does not prevent all malware from being installed only those that require drivers, or access to none-user specific registry/files.

E.g a malware cannot write to

HKLM\Software\Microsoft\CurrentVersion\Run

but it can write to the symoblic link of HKCU.

Also as mentioned, most malware are targetted at users with admin rights, so it's true that these won't work. But there are none-kernel keyloggers for example that WILL work and install in limited user accounts.

[Mrkvonic]

Quote:

Originally Posted by tlu

I strongly disagree - see here and the following postings in that thread.

Running limited is a pain? Says one who has probably never seriously tried ... I've been doing it for many years, and the most applications don't cause any problems. And even my children use a limited account on their computer. But you don't carry it off? Well, you will have problems if you're a guy who's tinkering with system settings and editing the registry every day. If that's your hobby, I agree that you should work solely under an admin account - all malware programmers will appreciate it ...

Hi,
Try to play America's Army, Age of Empires / Mythology, World of Warcraft as limited user...
I do not tamper with system settings on the normal machines. I have scapegoat machines that I tinker with, but my home computers are peaceful and quiet.
Apropos malware, it would highly insolent of me to claim arrogance and supremacy, but so far the malware programmers have not bothered me. They are much better of with people who still run sp1, use IE and click yes every now and then...
Mrk

[tlu]

Quote:

Originally Posted by Mrkvonic

Hi,
Try to play America's Army, Age of Empires / Mythology, World of Warcraft as limited user...

Okay, I'm not familiar with these obviously badly programmed games (no normal application - I'm not talking about system utilities, and I'm not talking about the installation process - should require admin rights). But in most cases these problems can be fixed with the help of Regmon and/or Filemon from www.sysinternals.com . If this doesn't help, they can started via runas or by using Aaron Argolis' MakeMeAdmin batch.
That's why I'm still convinced that it's a bad idea to be generally logged in as admin.

[tlu]

Quote:

Originally Posted by rootkitman

This is really basic stuff and you could have easily googled it anyway, but okay

http://www.sysinternals.com/blog/200...t-for-now.html

If you don't believe Mark, see also the comments by Kevin McAleevey of Boclean

Okay, I didn't know that these kinds of malware are also called rootkits.

Quote:

I fully agree though that limited user accounts give you substantial protection, but it's not unbreakable. It does not prevent all malware from being installed only those that require drivers, or access to none-user specific registry/files.

of course - I didn't deny that.

Quote:

E.g a malware cannot write to

HKLM\Software\Microsoft\CurrentVersion\Run

but it can write to the symoblic link of HKCU.

Well, not on my system. I've closed these holes. Applications that want to write e.g. to run keys in HKCU must have admin rights on my system, i.e. they have to be started via Aaron Margolis' MakeMeAdmin batch.

[Mrkvonic]

Hello,
tlu, bad programming is what we must cope every day - the very OS.
Running makemeadmin is as bad as running dropmyrights. It's the other side of the mirror. Run as does not work with these games well. They sometimes run, sometimes crash, sometimes both. And there are dozens of other games and programs.
You speak of malware writing to registry? Where does this malware come from? You download it to your computer? You execute it? You might as well slide the barrel gun behind the kevalr panels of your vest and fire.
Mrk

[tlu]

Quote:

Originally Posted by Mrkvonic

Hello,
tlu, bad programming is what we must cope every day - the very OS.

Indeed. A part of this problem is that Windows does not motivate its users to work under a limited account as it is standard for all Linux/Unix users.

Quote:

Running makemeadmin is as bad as running dropmyrights. It's the other side of the mirror.

No, it's not. Under Dropmyrights applications, which were started with lower rights, can break out from this security context and gain admin rights. MakeMeAdmin, on the other side, is only started in those relatively rare cases when it's really needed and closed after that.

Quote:

Run as does not work with these games well. They sometimes run, sometimes crash, sometimes both. And there are dozens of other games and programs.

Have you tried Regmon/Filemon?

Quote:

You speak of malware writing to registry? Where does this malware come from? You download it to your computer? You execute it? You might as well slide the barrel gun behind the kevalr panels of your vest and fire.
Mrk

I'm practising "safer computing", but the Sony rootkit makes it clear that there are dangers you probably wouldn't assume. This emphasizes the need of a layered protection. Using a limited account is an important part of this concept.

Is there a switch I can use to turn my userAdmin account to limited - then back again if I need to install something (without having to create and config a new limited account) thanks

[tlu]

Quote:

Originally Posted by 7777

Is there a switch I can use to turn my userAdmin account to limited - then back again if I need to install something (without having to create and config a new limited account) thanks

There is no need to turn your account to limited and back. Do the following easy steps instead:
1. Create a new admin account.
2. Log into this new admin account.
3. Change your old account to a limited account (just 1 mouseclick).
4. Assign passwords for both acounts.

Now you can log into that limited account and install applications that require admin rights with the MakeMeAdmin batch. It's easy!