Is it possible for malware to bypass UAC?

Discussion in 'other anti-malware software' started by Hungry Man, May 18, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,133
    I've heard of this happening only once.
     
  2. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    It's possible. I haven't got any example sorry, but when uac is bypass generaly microsoft try to update uac quickly.
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,715
    I guess that depends on what you term as bypass ;)

    If you mean, can you get a malware when you are using UAC/LUA, then yes, most certainly.

    If you mean, can malware get by UAC without the user "allowing" it, then I don't know of specific examples, but have seen a few reports of such things. I think it is pretty limited though, as the weak spot of UAC isn't how secure it is, but how secure the user is.

    Sul.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,133
    I don't mean getting malware. I know that malware can run with UAC, it just can't do as much.

    What I'm looking for are specific reports of UAC being bypassed via bug/glitch/whatever but NOT by tricking the user.

    Follow up question: Do you think that putting a password in UAC would make it any bit more secure?
     
  5. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    If there was known way to do it, it would be immediately fixed by security update. And if you mean the theoretical possibility, theoretically everything is possible because there is nothing perfect.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,133
    I realize it's "possible" but I'm looking to see how viable it is. I'm looking for actual legit exploits that have bypasses UAC and managed to elevate.
     
  7. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    If running as an Admin user, I would say yes providing that you have set Prompt for Credentials in Group Policy.
     
  8. clayieee

    clayieee Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    261
    I dunno but i have not been infected by malware ever since ive use windows 7 and i'll guarantee you that
     
  9. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    i once found a malware that bypass it
    basicly most new malware bypass it
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,133
    I don't know if that's the case... from what I understand if you have it at default/max it is nearly impossible to get around barring some 0-day exploit.
     
  11. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,104
    Location:
    Sofa (left side)
    I don't know about bypassing UAC, but there's certainly no need for malware to require a UAC elevation in order to do its evil, i.e. malware can avoid UAC rather than having to find a way through UAC.
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,133
    Yes, most malware can simply avoid UAC but any malware that isn't able to run as admin is going to be incredibly easy to remove/ won't do much damage to the computer.
     
  13. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    I have also thought about this. Is it same thing from the executables perspective, if it's run in Standard User -account, or in the Protected Admin account with UAC enabled?
     
  14. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,104
    Location:
    Sofa (left side)
    You're not acquainted with the Carberp trojan then? :) Carberp is as dangerous as Zeus but doesn't require admin privileges and hence avoids UAC.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,133
    I'm not familiar. I mean, I can imagine they can mess things up but it won't be able to touch your OS/Registry.
     
  16. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,104
    Location:
    Sofa (left side)
    Carberp steals your banking login information and passwords in a similar way to Zeus. It's about as bad as it gets.
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,133
    Yeah... but that's not what I'm talking about =p it won't ruin the computer itself.
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,599
    Location:
    Last Breath Farm
    Carberp also installs a plug-in that removes other malware from the infected machine. That's brilliant.
     
  19. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,929
    Location:
    Québec
    maybe it could be used as a cleaning tool?:D
     
  20. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    the old and already patched "LNK Exploit"... I think it was able to bypass UAC but is already patched by microsoft.
    (bypass = UAC is ON but did prompt for consent on elevation.)
     
  21. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,599
    Location:
    Last Breath Farm
    Brings to mind all the smug individuals (uh oh, could I be one?) who wish to assure everyone that their systems are clean, and Carberp is like, oh yeah, it's real clean.
     
  22. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,929
    Location:
    Québec
    hahaha! :D
     
  23. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    I don't know if this is what you are looking for, but I remember reading here, if I'm not wrong a post by the user "moonblood" that at a default admin account protected by UAC there is some ways. One example mentioned is create a autorun value in the shell of cmd at the registry (under HKCU so no problems being with the limited token) and after, when the cmd was elevated, generating the UAC prompt when changing the limited to the administrator token, it will load the value you created as limited as admin, bypassing UAC. Looks like this: you are browsing and get hit by a malware driveby. It not generate the UAC prompt and run as limited. It create the autorun registry key at HKCU pointing to a executable dropped by the driveby. Next time cmd.exe run elevated, it will load the value, starting the value at autorun as admin too.

    Sorry for the bad english and please if I misunderstood something, correct me.
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,133
    I can understand fine, good explanation. That's an interesting work around, thanks.
     
  25. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    Yes it can. its called by a couple name
    "Rights Escilation"
    "Privilege Escalation"


    Some examples:
    http://greyhat-security.com/windows-7-uac-buffer-overflow-privilege-escalation-0-day
    http://eromang.zataz.com/2011/02/06/ms10-073-microsoft-windows-keyboard-layout-privilege-escalation/


    Wiki definition:
    "Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions."

    This is not by design of course. It comes from bugs in the OS or other software but it has happened multiple times in windows 7.

    Do remember though that malware can do things even in user space. It might not be as severe as if they had entire control of your system but they can steal data (email addresses for example) or anything you have sitting around in your profile.

    This is why application whitelisting in SRP & applocker is such a good thing
     
Thread Status:
Not open for further replies.