Programs running in the secure desktop vs. keyloggers, screen loggers, etc.

Discussion in 'other anti-malware software' started by MrBrian, Oct 23, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian
    Offline

    MrBrian Registered Member

    I've found a program that lets one run programs in the secure desktop! Download the file NET_0Setup.zip near the end of that page.

    I installed Elite Keylogger. Then I ran c:\windows\Notepad.exe in the secure desktop and typed some characters into it. I switched back to the admin account and reviewed the Elite Keylogger logs; no keystrokes were recorded from the secure desktop :D.

    To do this, refer to usage case #2 above.

    Feel free to report your test results vs keyloggers, screen loggers, etc. :).

    I couldn't get usage case #1 to do what it claims to do.
  2. MrBrian
    Offline

    MrBrian Registered Member

    A couple of notes:

    Opera portable runs in the secure desktop with Internet access :D.

    The UAC-look-alike launcher can be used to start a program as any user, not just admin users. I started Opera portable as a standard user in the secure desktop.

    Maybe this is a good method to do online banking?
  3. Konata Izumi
    Offline

    Konata Izumi Registered Member

    pretty interesting :D

    but what if some sort of malware came from the browser running in secure desktop while you are surfing? I don't want my secure desktop be infected :<
  4. MrBrian
    Offline

    MrBrian Registered Member

    Good point :). More testing needs to be done....
    Last edited: Oct 24, 2010
  5. MrBrian
    Offline

    MrBrian Registered Member

    Aha! I got usage case #1 to work now :D. It seems you have to specify an admin account that doesn't use UAC - I used the Administrator account. So now we have a way to start programs as admin from a shortcut while completely avoiding a UAC prompt :D. I'll be writing about this soon somewhere else on Wilders.... Oh, and it works from a standard account also, and with no additional services needed :).
    Last edited: Oct 24, 2010
  6. Konata Izumi
    Offline

    Konata Izumi Registered Member

    I do hope for an easier/safer implementation.

    EDIT: If I have an antikeylogger / antivirus running in the unsecure desktop would they be able to protect programs running in the secure desktop?
  7. MrBrian
    Offline

    MrBrian Registered Member

    I'm looking into that right now :).
  8. MrBrian
    Offline

    MrBrian Registered Member

    Some tests:

    A program running in the secure desktop can launch other programs. Thus, I assume malware could be launched if you come upon an exploit in a program that you're using in the secure desktop.

    Hypothesis: if you encounter malware while in the secure desktop, while it can run in the current secure desktop and also possibly infect the user account that's being used, the next time you use a new secure desktop, the malware shouldn't be running in it.

    I installed Avast 5 Free with default settings. I switched to the secure desktop and tried to run an infected file. Avast deleted the file while in the secure desktop, although Avast showed no user interface notification while doing so. I also tried to download an infected file. Again, Avast stopped it, without any user interface notification. When I switched back to the normal desktop, Avast showed notification of what had happened.

    Unfortunately, AppLocker doesn't seem to be enforced in the secure desktop.
    Last edited: Oct 24, 2010
  9. MrBrian
    Offline

    MrBrian Registered Member

    The behavior I've seen so far supports the hypothesis. While in the secure desktop, I ran Anti-Keylogger Tester. It was able to log keystrokes within the secure desktop. I also set Anti-Keylogger Tester to start in the user's account every login. I then switched back to the normal desktop, and logged out of the account and back in. Anti-Keylogger Tester started automatically as expected. I then turned on its keylogging, entered the secure desktop, typed some keystrokes, and exited the secure desktop. Anti-Keylogger Tester wasn't able to log the keystrokes within the secure desktop.

    So to summarize, it seems that:
    1. Every time you enter a new secure desktop, it's clean from keyloggers, etc., even if you got infected while in a different secure desktop.
    2. If you encounter malware while within a secure desktop, it can affect the current secure desktop and also permanently affect the user account being used. Depending on the permissions of the user account being used, you could get total system compromise.

    Maybe turn on Returnil before using a secure desktop?
  10. CloneRanger
    Offline

    CloneRanger Registered Member

    Interesting tests :thumb:

    In which case you wouldn't need secure desktop, i guess ;)
  11. MrBrian
    Offline

    MrBrian Registered Member

    Returnil would be used to cure (upon reboot) any infection you get while in the secure desktop, but any keyloggers already present in the system hopefully wouldn't function while in the secure desktop. I didn't test with Returnil yet though....

    I think the closest competitors to this method might be Prevx SafeOnline or KeyScrambler.

    On an unrelated note, I think I'll refer to this program as "Secure Desktop Run As," which is IMHO more appropriate than "User Account Control."
    Last edited: Oct 24, 2010
  12. CloneRanger
    Offline

    CloneRanger Registered Member

  13. MrBrian
    Offline

    MrBrian Registered Member

    I've tested against Advanced Keylogger from Eltima. Advanced Keylogger didn't log any keys pressed in the secure desktop.
  14. CloneRanger
    Offline

    CloneRanger Registered Member

    Excellent :thumb:

    What about screenshots though ?

    See my latest post in - http://www.wilderssecurity.com/showthread.php?p=1772410#post1772410

    Advanced Keylogger from Eltima is a beech :eek:
  15. Konata Izumi
    Offline

    Konata Izumi Registered Member

    I set my browser to always run at low integrity level, with DEP, ASLR etc with the help of EMET-2...

    Will my browser running on secure desktop have all the settings?
  16. MrBrian
    Offline

    MrBrian Registered Member

    Advanced Keylogger couldn't grab any screenshots from the secure desktop :).

    Attached Files:

    Last edited: Oct 24, 2010
  17. m00nbl00d
    Offline

    m00nbl00d Registered Member

    Right... "Hey good sir, may I make use of this application?" ... Polite malware... Who would imagine that?

    Polite....

    ... but stupid.

    Imagine I have Spybot - Search & Destroy installed, which to apply immunizations, add or remove autorun entries, etc needs Administrator rights. If I have Spybot to always run as Administrator, then couldn't malware check if Spybot is installed and just run it on its behalf (obviously, without the user even seeing it) and just add autorun entries, and delete antimalware autorun entries?

    Just a tiny example.

    Am I seeing the wrong picture, perhaps o_O
  18. MrBrian
    Offline

    MrBrian Registered Member

    Secure Desktop RunAs can create a new shortcut but it doesn't modify existing shortcuts or programs.
    Last edited: Oct 24, 2010
  19. MrBrian
    Offline

    MrBrian Registered Member

    I tested Firefox running as a low integrity app and configured it with EMET. When I ran Firefox in the secure desktop, it ran as a medium integrity app. EMET was active for Firefox when run in the secure desktop.
  20. MrBrian
    Offline

    MrBrian Registered Member

    I tested against 6 of the 7 keylogging tests of Anti-Keylogger Tester v3.0 running in a normal desktop, first with non-admin rights, and then with admin rights, while typing into Notepad in a secure desktop. Anti-Keylogger Tester was unable to record keystrokes in the secure desktop in any of the tests. I couldn't try the JournalRecord Hook test because it failed to set.

    This is perhaps a fine method for online banking using a different browser than you normally use, one with no third-party addons. Activities which have too high of a chance of encountering malware should probably not be done in the secure desktop.
  21. Konata Izumi
    Offline

    Konata Izumi Registered Member

    I thought so...

    have you tested isolation softwares like GesWall / Defensewall or Sandboxie?
    did they sandbox/isolate browsers that tries to run in the secure-desktop?

    In a secure desktop session can you open 2 or more programs or just one?

    Thank you for the tests.
  22. MrBrian
    Offline

    MrBrian Registered Member

    You're welcome :).

    I didn't test isolation software. You can open more than one program in a secure desktop; in fact you can launch explorer.exe.
  23. m00nbl00d
    Offline

    m00nbl00d Registered Member

    OK. But, isn't the purpose of this app to give us the chance not to receive any more UAC alerts for apps we constantly use, for example? If I understood it right, every time I want to start Spybot or some other app, I no longer will get any UAC prompts for it, if I choose that way, right o_O Spybot will always run with Administrator rights every time it is run, won't it?

    This is what I'm understanding the app does, besides the secure desktop situation.

    If that's the case, wouldn't the scenario I mentioned before be plausible to happen?
  24. MrBrian
    Offline

    MrBrian Registered Member

    Yes, the program has two different types of functionality:
    a) secure desktop runas - usage cases #2 and #3 from first post
    b) avoid UAC alerts - usage cases #1 and #4 from first post

    Using your example, suppose malware happens to launch Spybot that then runs as admin. Then what? User Interface Privilege Isolation, explained at New Technologies for Windows Vista, still limits the interaction between the malware and Spybot running as admin.
  25. safeguy
    Offline

    safeguy Registered Member

    I still can't get that to work in a LUA account (with SRP). I still get a prompt by UAC asking for my admin account credentials. I have tried both placing the program in C:\Security folder (set SRP additional path rule to allow it)
    and inside C:\Program Files directory but still the same result. What am I doing wrong?
Thread Status:
Not open for further replies.