IE, Least privilege, and Rogue Antispyware

Hello all,

I was hoping if I can get some questions answered from the experts about something I'm working on. I'm running IE6 on Windows XP. I used a registry setting/tweak to run IE with least privilege, although the account I'm logged in as has admin rights. My goal is to try to prevent as much malware as possible coming in from IE browsing. I've tried downloading/installing apps with IE (such as Malwarebytes) and I was denied because I didn't have admin rights (IE with least privilege).

I then went out into the wild, looking to get owned. I went to a bunch of sites for a day, and had no luck getting infected with anything. I was starting to feel confident. Then, I stumbled upon a site and got infected with Rogue.WindowsEnterpriseSuite. I was surprised that it was able to install with least privilege.

Then, after I scanned and scrubbed the system clean, I logged in with an account that had only user rights. I went to the same website, hoping that I wouldn't get infected because my login account had least privilege. Again, I got infected by Rogue.WindowsEnterpriseSuite. This is the point I am at now.

I'm a little confused at how this was able to install with least privilege. Any experts out there have any ideas, or has anyone else been able to successfully prevent malware by using the principle of least privilege? Any help is greatly appreciated. Thanks all!

Yellow Footprints

 

i can't say anything about this but if i an in your place i wil replad IE 6 with IE8 protect it with a sandbox like geswall, defencewall or sandboxie. do this and nothing can infect you via your browser. Try it and see.

 

well the first thing to do would be upgrade to IE8 or switch browser to firefox or opera.
I dont know of any ITW driveby downloads for opera or firefox.
make sure all your plugins are up to date and all your programs are up to date for example pdf reader etc. uninstall any older versions of program for example java.

you could always use the browser in a sandbox for example sandboxie.

the problem with XP is that its hard to run with a limited user account all the time since if you want to do any admin tasks you have to switch account.

 

Thanks for the quick responses!

As for IE6, I know exactly what you're saying. This is for a corp environment. We've been recommending the upgrade to IE7, and then IE8 for awhile now. For reasons I will not get into, we are still on IE6, but are testing out newer browsers for the switch.

Thanks for the recommendations. All 3 look interesting. I'm going to be playing around with Sandboxie first and see if it affects anything app wise. Thanks again!

Yellow Footprints

 

The reason is simple. The rogue AV just didn't do anything that requires admin privileges. Instead of installing system-wide, it only installed itself into your limited user account, and that don't require admin. That's the short answer.

And this is the long one.

Least privilege is partly a self-explanatory term. That is to say, it obviously does not mean "no privileges" or "all privileges." Instead, it means something like "minimal privileges needed to do a number of everyday tasks".

In real life, your limited user account has far less privileges than your admin account does. But it still has some privileges, or otherwise you couldn't do much anything with the account. The limited user account does not have the kind of access an admin account has, but it is allowed to do some very much basic and essential things: like creating and executing files. As you would know, the admin accounts can do anything: they can delete everything on the hard drive, or install device drivers, anything. A limited user account can't do such things that affect the entire system and all user accounts. Instead, it is limited to having only read access to certain system folders like the Windows and Program Files folders, and can only create new files in folders where limited users are allowed to write, such as in the account's own profile folder.

If you execute a piece of malware in a limited user account, one of two things will happen:
1) If the malware was created to assume the user is logged in as admin, it tries to do things that only admins can do such as install a rootkit driver or drop itself to the Windows\System32 folder. It can't do that in a limited user account, and fails. And so it also fails to infect the system, or the account (unless there's a fallback mechanism in the malware that notices the failure and then only tries to do things that don't require admin privileges).
2) If the malware was created to assume the user is logged in as a limited user, it tries to do only such things that don't require admin privileges. For example: it could drop its main executable into the user profile folder where the limited user can write, then create a registry run key in the HKEY_CURRENT_USER hive where the limited user can write to automatically start itself every time that limited user logs in to his account, and then it could do further things that don't require admin privileges like showing browser popups on the display that claim the computer is infected with something. In this case, the limited user account has been infected, but the system and other accounts have not been.

In your case, then, the rogue AV most likely did not install system-wide - it only installed for that limited user account you used. Removing the rogue AV would be as simple as deleting its files and registry keys - or if feeling a little destructive, just wiping out the entire user and making a new one.

That's how it works. Traditionally, Windows malware has been made to require admin privileges. But now that Vista and 7 came up with UAC, an increasing number of malware will be made that works in limited user accounts. So, one really should not think that running as a limited user prevents all malware issues. What it does is prevent malware from doing some of the nastiest things that allow a malware to infect the entire system and destroy security software for example. It will not prevent a simple malware that doesn't do anything that requires admin privileges from showing you some scary popups or keylogging your passwords in that account and sending them to Russia. So, while you should use a limited user account, there's also more to do to keep yourself safe. Obviously common sense is first: don't execute anything that you don't trust. Then, there's keeping software updated. You were probably using an unpatched IE or browser plugins that allowed this rogue AV on your system - unless you just intentionally executed for purposes of testing. After these basic measures, you can go further if you wish, with various security software or OS features like Software Restriction Policies or AppLocker that help you prevent new and potentially malicious executables from even running in the limited user account, which would prevent the rogue AV among other malware issues. For a corporate environment, Software Restriction Policies or AppLocker if you've got Win7 would make a lot of sense.

The web and even this forum is really full of information on the subject.

 

Thanks for the responses guys!!!

 

Upgrading old XP to modern capabilities

1. Get UAC like capabilities on XP
Download Surun, http://kay-bruns.de/wp/software/surun/
Here is the how to: http://www.dedoimedo.com/computers/surun.html

2. Get the security tab of XP Pro
doenload FajoXPSE, http://www.fajo.de/portal/index.php?lang=en&option=content&task=view&id=6&Itemid=47

3. Get the Software restrictio capabilities of XP Pro
Download PGS http://mrwoojoo.com/PGS/PGS_index.htm
Here is the how to http://mrwoojoo.com/PGS/PGS_HowTo.htm

This why LUA (actually UAC through Surun) works with SRP (through PGS)
http://www.mechbgon.com/srp/

Enjoy the new XPROs

 

What the OP is doing here with IE is not really a true example of the POLP, but rather an example of DAC, which, as Windchild rightly pointed out, means the user account still has some privileges. The user account in a DAC set-up is typically "sandboxed" from the system files. However, anything owned by the user is not confined to a POLP, but rather can have access to any other user owned file/directory/process and sometimes will have access to system files or processes. This is how privilege escalation attacks can happen.

If you want a true POLP system, you will have to move from DAC to MAC (Mandatory Access Controls) which can come in several forms. Most all of them follow the Bell La-Padula model which was developed by and for the military decades ago. MAC implementations in the private and commercial sector include things like SELinux (originally developed by NSA), Trusted BSD, Trusted Solaris, and XTS-400. There are also closed-source OS's like GEMSOS (Orange Book A-1) which have been evaluated at some of the highest assurance criteria levels and have MAC systems as part of the security layer. M$ put something in Vista and 7 known as MIC (Mandatory Integrity Controls) which can do similar things as MAC. However, sadly M$ gives us no way whatsoever to control or adjust MIC settings, making it next to worthless.

 

In that case I would imagine that SRP and no autostarts for users (kafu.exe) would stop it.