Programs running in the secure desktop vs. keyloggers, screen loggers, etc.

[MrBrian]

I've found a program that lets one run programs in the secure desktop! Download the file NET_0Setup.zip near the end of that page.

I installed Elite Keylogger. Then I ran c:\windows\Notepad.exe in the secure desktop and typed some characters into it. I switched back to the admin account and reviewed the Elite Keylogger logs; no keystrokes were recorded from the secure desktop .

Quote:

Usages

The sample application and source files included in this article, can be used in five ways, four of which are distinctive.
The most secure way to make permanent authorizations, is to have the program run at the welcome screen(boot), as I've outlined in my On Screen Keys article last month. That way your password would be safe at the welcome screen. However at the moment there are virtually zero high-level hacks against this kind of program on a secure desktop object like that of an ATM machine, so you can feel very secure while using it.

1. Always Run As Administrator
Run the program and it will enter a secure desktop, where you can enter your password, user name, location, and path to the file that you want to,"Always run as administrator". Click OK > Yes. The program then becomes an administrative shortcut, that will always open the specified path with administrative privileges. It will also create a regular shortcut, for you to place on the desktop, taskbar, start menu, or desired location, that way you can quickly access the shortcut at any time.
2. Run On Secure Desktop
Run the program and enter a secure desktop, where you can provide the password, to run almost any application in this secure environment, without fear of keyloggers etc. You don't have to "always" run as administrator, either. Just close the app, and no settings will be saved or remembered.
3. Run On Secure Administrator Desktop
Run the program and enter a secure desktop, where you can provide the password. Then open explorer.exe, usually located here:
C:\Windows\explorer.exe
This will show the taskbar, and start menu of the administrator. The desktop will have been given a unique number, that you should remember for this session.{see illustration below} Now if you leave the administrator desktop by closing any open applications, you may navigate back at any time, by right clicking the secure button, and choosing what desktop you want to go to.
4. Run On Default Desktop
Run the program and enter a secure desktop, where you can provide the password, and then click the Desktop button to exit the secure environment. Now the program will run on the regular desktop, keeping your secured data. You can then minimize the application to the taskbar icon, so that it can be used as an administrative launch deck, by Right-clicking > Open.

To do this, refer to usage case #2 above.

Feel free to report your test results vs keyloggers, screen loggers, etc. .

I couldn't get usage case #1 to do what it claims to do.

[MrBrian]

A couple of notes:

Opera portable runs in the secure desktop with Internet access .

The UAC-look-alike launcher can be used to start a program as any user, not just admin users. I started Opera portable as a standard user in the secure desktop.

Maybe this is a good method to do online banking?

[Konata Izumi]

pretty interesting

but what if some sort of malware came from the browser running in secure desktop while you are surfing? I don't want my secure desktop be infected :<

[MrBrian]

Quote:

Originally Posted by Konata Izumi

but what if some sort of malware came from the browser running in secure desktop while you are surfing? I don't want my secure desktop be infected :<

Good point . More testing needs to be done....

[MrBrian]

Quote:

Originally Posted by MrBrian

I couldn't get usage case #1 to do what it claims to do.

Aha! I got usage case #1 to work now . It seems you have to specify an admin account that doesn't use UAC - I used the Administrator account. So now we have a way to start programs as admin from a shortcut while completely avoiding a UAC prompt . I'll be writing about this soon somewhere else on Wilders.... Oh, and it works from a standard account also, and with no additional services needed .

[Konata Izumi]

Quote:

Originally Posted by MrBrian

Good point . More testing needs to be done....

I do hope for an easier/safer implementation.

EDIT: If I have an antikeylogger / antivirus running in the unsecure desktop would they be able to protect programs running in the secure desktop?

[MrBrian]

Quote:

Originally Posted by Konata Izumi

EDIT: If I have an antikeylogger / antivirus running in the unsecure desktop would they be able to protect programs running in the secure desktop?

I'm looking into that right now .

[MrBrian]

Some tests:

A program running in the secure desktop can launch other programs. Thus, I assume malware could be launched if you come upon an exploit in a program that you're using in the secure desktop.

Hypothesis: if you encounter malware while in the secure desktop, while it can run in the current secure desktop and also possibly infect the user account that's being used, the next time you use a new secure desktop, the malware shouldn't be running in it.

I installed Avast 5 Free with default settings. I switched to the secure desktop and tried to run an infected file. Avast deleted the file while in the secure desktop, although Avast showed no user interface notification while doing so. I also tried to download an infected file. Again, Avast stopped it, without any user interface notification. When I switched back to the normal desktop, Avast showed notification of what had happened.

Unfortunately, AppLocker doesn't seem to be enforced in the secure desktop.

[MrBrian]

Quote:

Originally Posted by MrBrian

Hypothesis: if you encounter malware while in the secure desktop, while it can run in the current secure desktop and also possibly infect the user account that's being used, the next time you use a new secure desktop, the malware shouldn't be running in it.

The behavior I've seen so far supports the hypothesis. While in the secure desktop, I ran Anti-Keylogger Tester. It was able to log keystrokes within the secure desktop. I also set Anti-Keylogger Tester to start in the user's account every login. I then switched back to the normal desktop, and logged out of the account and back in. Anti-Keylogger Tester started automatically as expected. I then turned on its keylogging, entered the secure desktop, typed some keystrokes, and exited the secure desktop. Anti-Keylogger Tester wasn't able to log the keystrokes within the secure desktop.

So to summarize, it seems that:
1. Every time you enter a new secure desktop, it's clean from keyloggers, etc., even if you got infected while in a different secure desktop.
2. If you encounter malware while within a secure desktop, it can affect the current secure desktop and also permanently affect the user account being used. Depending on the permissions of the user account being used, you could get total system compromise.

Maybe turn on Returnil before using a secure desktop?

[CloneRanger]

Interesting tests

Quote:

Originally Posted MrBrian

Maybe turn on Returnil before using a secure desktop?

In which case you wouldn't need secure desktop, i guess

[MrBrian]

Quote:

Originally Posted by CloneRanger

In which case you wouldn't need secure desktop, i guess

Returnil would be used to cure (upon reboot) any infection you get while in the secure desktop, but any keyloggers already present in the system hopefully wouldn't function while in the secure desktop. I didn't test with Returnil yet though....

I think the closest competitors to this method might be Prevx SafeOnline or KeyScrambler.

On an unrelated note, I think I'll refer to this program as "Secure Desktop Run As," which is IMHO more appropriate than "User Account Control."

[CloneRanger]

@ MrBrian

I see what you mean

PSOL is a major player & together with for eg Zemana or Spyshelter even better

However please see the recent posts by aigle in here

http://www.wilderssecurity.com/showt...10#post1772410

[MrBrian]

I've tested against Advanced Keylogger from Eltima. Advanced Keylogger didn't log any keys pressed in the secure desktop.

[CloneRanger]

Quote:

Originally Posted by MrBrian

I've tested against Advanced Keylogger from Eltima. Advanced Keylogger didn't log any keys pressed in the secure desktop.

Excellent

What about screenshots though ?

See my latest post in - http://www.wilderssecurity.com/showt...10#post1772410

Advanced Keylogger from Eltima is a beech

[Konata Izumi]

I set my browser to always run at low integrity level, with DEP, ASLR etc with the help of EMET-2...

Will my browser running on secure desktop have all the settings?

[MrBrian]

Quote:

Originally Posted by CloneRanger

What about screenshots though ?

Advanced Keylogger couldn't grab any screenshots from the secure desktop .

[m00nbl00d]

Quote:

Key features

It's simpler to use common programs that have already been granted privileges once. A malware cannot launch these applications with your granted permission either. Only the user knows where this application is located, and/or it's link, and what it opens.

Right... "Hey good sir, may I make use of this application?" ... Polite malware... Who would imagine that?

Polite....

Quote:

Only the user knows where this application is located, and/or it's link, and what it opens.

... but stupid.

Imagine I have Spybot - Search & Destroy installed, which to apply immunizations, add or remove autorun entries, etc needs Administrator rights. If I have Spybot to always run as Administrator, then couldn't malware check if Spybot is installed and just run it on its behalf (obviously, without the user even seeing it) and just add autorun entries, and delete antimalware autorun entries?

Just a tiny example.

Am I seeing the wrong picture, perhaps

[MrBrian]

Quote:

Originally Posted by m00nbl00d

Imagine I have Spybot - Search & Destroy installed, which to apply immunizations, add or remove autorun entries, etc needs Administrator rights. If I have Spybot to always run as Administrator, then couldn't malware check if Spybot is installed and just run it on its behalf (obviously, without the user even seeing it) and just add autorun entries, and delete antimalware autorun entries?

Just a tiny example.

Am I seeing the wrong picture, perhaps

Secure Desktop RunAs can create a new shortcut but it doesn't modify existing shortcuts or programs.

[MrBrian]

Quote:

Originally Posted by Konata Izumi

I set my browser to always run at low integrity level, with DEP, ASLR etc with the help of EMET-2...

Will my browser running on secure desktop have all the settings?

I tested Firefox running as a low integrity app and configured it with EMET. When I ran Firefox in the secure desktop, it ran as a medium integrity app. EMET was active for Firefox when run in the secure desktop.

[MrBrian]

I tested against 6 of the 7 keylogging tests of Anti-Keylogger Tester v3.0 running in a normal desktop, first with non-admin rights, and then with admin rights, while typing into Notepad in a secure desktop. Anti-Keylogger Tester was unable to record keystrokes in the secure desktop in any of the tests. I couldn't try the JournalRecord Hook test because it failed to set.

This is perhaps a fine method for online banking using a different browser than you normally use, one with no third-party addons. Activities which have too high of a chance of encountering malware should probably not be done in the secure desktop.

[Konata Izumi]

Quote:

Originally Posted by MrBrian

I tested Firefox running as a low integrity app and configured it with EMET. When I ran Firefox in the secure desktop, it ran as a medium integrity app. EMET was active for Firefox when run in the secure desktop.

I thought so...

have you tested isolation softwares like GesWall / Defensewall or Sandboxie?
did they sandbox/isolate browsers that tries to run in the secure-desktop?

In a secure desktop session can you open 2 or more programs or just one?

Thank you for the tests.

[MrBrian]

Quote:

Originally Posted by Konata Izumi

have you tested isolation softwares like GesWall / Defensewall or Sandboxie?
did they sandbox/isolate browsers that tries to run in the secure-desktop?

In a secure desktop session can you open 2 or more programs or just one?

Thank you for the tests.

You're welcome .

I didn't test isolation software. You can open more than one program in a secure desktop; in fact you can launch explorer.exe.

[m00nbl00d]

Quote:

Originally Posted by MrBrian

Secure Desktop RunAs can create a new shortcut but it doesn't modify existing shortcuts or programs.

OK. But, isn't the purpose of this app to give us the chance not to receive any more UAC alerts for apps we constantly use, for example? If I understood it right, every time I want to start Spybot or some other app, I no longer will get any UAC prompts for it, if I choose that way, right Spybot will always run with Administrator rights every time it is run, won't it?

This is what I'm understanding the app does, besides the secure desktop situation.

If that's the case, wouldn't the scenario I mentioned before be plausible to happen?

[MrBrian]

Quote:

Originally Posted by m00nbl00d

OK. But, isn't the purpose of this app to give us the chance not to receive any more UAC alerts for apps we constantly use, for example? If I understood it right, every time I want to start Spybot or some other app, I no longer will get any UAC prompts for it, if I choose that way, right Spybot will always run with Administrator rights every time it is run, won't it?

This is what I'm understanding the app does, besides the secure desktop situation.

If that's the case, wouldn't the scenario I mentioned before be plausible to happen?

Yes, the program has two different types of functionality:
a) secure desktop runas - usage cases #2 and #3 from first post
b) avoid UAC alerts - usage cases #1 and #4 from first post

Using your example, suppose malware happens to launch Spybot that then runs as admin. Then what? User Interface Privilege Isolation, explained at New Technologies for Windows Vista, still limits the interaction between the malware and Spybot running as admin.

[safeguy]

Quote:

Originally Posted by MrBrian

Aha! I got usage case #1 to work now . It seems you have to specify an admin account that doesn't use UAC - I used the Administrator account. So now we have a way to start programs as admin from a shortcut while completely avoiding a UAC prompt . I'll be writing about this soon somewhere else on Wilders.... Oh, and it works from a standard account also, and with no additional services needed .

I still can't get that to work in a LUA account (with SRP). I still get a prompt by UAC asking for my admin account credentials. I have tried both placing the program in C:\Security folder (set SRP additional path rule to allow it)
and inside C:\Program Files directory but still the same result. What am I doing wrong?