Is it possible for malware to bypass UAC?

Or should be...

https://www.wilderssecurity.com/showthread.php?t=291593
https://www.wilderssecurity.com/showthread.php?t=291467

Anyone know if UAC can be bypassed the same way SRP and Applocker are using the circumventions described in this threads?

 

I don't know if this is the answer you were looking for, but it's possible to bypass an UAC restriction.

Using Group Policy Editor you can disable the elevation of unsigned applications. Unfortunately, for what it seems, such will only happen if we start those applications in a direct way, that is, you right-click the app and choose Run as administrator.

But, if you run Windows cmd line with administrator privileges, then you can execute those unsigned applications with administrator rights as well, even though you have explicitely chose to disable their elevation.

-http://www.wilderssecurity.com/showpost.php?&p=1883962&postcount=316

Does that count as a bypass/circumvent?

 

They inject themselves into a legal process tip toe past UAC. Like with the run32dll issue some time back. But UAC is better than nothing. Its better than surfing the net giving everything you click on admin rights.

 

I think so!

 

Subst x: C:\Windows\System32\schtasks.exe

X:\System32\schtasks.exe /run /tn "malware.exe"

 

I'd believe that, as with anything else, it is very good, but not 100% - that's just the way it is. The difference compared to effective, modern malware protection is that it's very user-dependent, whereas most AM products can function automatic and still with great success today.

 

The way I see it UAC is not a security feature on its own but rather a tools that allows users to move away from the insecure administrator account and helps developers build applications that do not require admin rights unless it is absolutely needed. In my opinion a limited user account should be more secure than the default admin account running in admin approval mode. Nevertheless exploits will always be an issue (keep your Windows updated) and if the user knows the admin password he/she is responsible for the software he/she allows to run with administrator rights.

 

Uninstall Java and Adobe flash. That will elevate browser security by 95 percent

 

I understand what you say but Flash, even more than Java, is a necessity.

for better security, one could use Chrome, Flashblock, NoScript etc...

 

or even just sandboxie free.

 

And will decrease web experience by the same percentage. Both programs are insecure (although Flash is a lot safer since it's in a sandbox), but they are necessary for a lot of popular websites.

 

No their not. Yes some sites you need them otherwise they can't throw a lot of adds in your face. I mean a shiny looking web page vs a boring one but your privacy still in tact.
Java was fun its time to move on

 

see people update Adobe reader but still sits with older version of the writer. There's basically 3 or 4 packages for flash. People update just one. Adobe needs to look at their packages and combine them so that users can easily update and patch up the fixes. Updating one doesn't do anything if the others ain't updated as well.

 

@Martijn2: Java is in a sandbox as well, way before Flash had one.

 

see the avg user dont know about updating anything they don't know about Sandboxie they don't know even what UAC is. That is the problem. Other problem is stuff like HIPS. Its a bandaid to try and fix others mistakes. Rather than the people fix their mistakes in the software. If your software is the sole reason of exploitation and you release something like 21 fixes with one update that means you have to go redress the problems. Why can't they just create a java uninstaller with their java program that uninstalls the older java version and install the new one. Or place a warning there right above the nice pic of open office when you install it. That isn't so hard to do for them. Older version of java on your pc the exploits still there there's no use you installed the security update. And that's not common knowledge. That's why rogue malware is having a party in the stats.

 

Bypassing UAC is very easy. Metasploit has been able to do this forever. One way is to run a UAC bypass payload which basically tries different methods of disabling or tricking The system into thinking it is allowed to run. The other is to start a high level process and than migrate into it.

Both are stopped cold by comodo D+, avast, SRP and EMET. So with extra security apps you are safe

 

x942 i agree with you

 

Java is not necessary, in the past years only found one site that needed it

 

Just using SRP is enough. Extra apps aren't needed.

 

Toms adware I mean Hardware?

UAC. Drop a trojan through email or a juicy download. Replace a shortcut that does not lead to a execute file malware compile a new exe replacing the start menu entry of a legit program. When you click to run the legit program UAC pops up you say yes and the program and the malware executes

 

it makes sense

 

That's not a bypass, since an UAC prompt was made. It's simply user stupidity.

 

No you are clicking to run a legit program. The legit program will run but the malware as well. The user has no idea and it looks like he's running one of his ligit programs. First thing malware do is check if the user has admin rights. Then it will disguise itself as another program. It just needs that one opportunity to get by it then its all over

Anyone good in VB? Can you show you another way with A VB script

 

Still doesn't fit the definition of bypassing UAC. In your case, UAC allowed it.

 

how's your VB?

I'm not posting the whole script here but this is just a tad of it

Shell( "C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f" , AppWinStyle.Hide)