Programs running in the secure desktop vs. keyloggers, screen loggers, etc.

Discussion in 'other anti-malware software' started by MrBrian, Oct 23, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've found a program that lets one run programs in the secure desktop! Download the file NET_0Setup.zip near the end of that page.

    I installed Elite Keylogger. Then I ran c:\windows\Notepad.exe in the secure desktop and typed some characters into it. I switched back to the admin account and reviewed the Elite Keylogger logs; no keystrokes were recorded from the secure desktop :D.

    To do this, refer to usage case #2 above.

    Feel free to report your test results vs keyloggers, screen loggers, etc. :).

    I couldn't get usage case #1 to do what it claims to do.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    A couple of notes:

    Opera portable runs in the secure desktop with Internet access :D.

    The UAC-look-alike launcher can be used to start a program as any user, not just admin users. I started Opera portable as a standard user in the secure desktop.

    Maybe this is a good method to do online banking?
     
  3. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    pretty interesting :D

    but what if some sort of malware came from the browser running in secure desktop while you are surfing? I don't want my secure desktop be infected :<
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Good point :). More testing needs to be done....
     
    Last edited: Oct 24, 2010
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Aha! I got usage case #1 to work now :D. It seems you have to specify an admin account that doesn't use UAC - I used the Administrator account. So now we have a way to start programs as admin from a shortcut while completely avoiding a UAC prompt :D. I'll be writing about this soon somewhere else on Wilders.... Oh, and it works from a standard account also, and with no additional services needed :).
     
    Last edited: Oct 24, 2010
  6. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I do hope for an easier/safer implementation.

    EDIT: If I have an antikeylogger / antivirus running in the unsecure desktop would they be able to protect programs running in the secure desktop?
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I'm looking into that right now :).
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Some tests:

    A program running in the secure desktop can launch other programs. Thus, I assume malware could be launched if you come upon an exploit in a program that you're using in the secure desktop.

    Hypothesis: if you encounter malware while in the secure desktop, while it can run in the current secure desktop and also possibly infect the user account that's being used, the next time you use a new secure desktop, the malware shouldn't be running in it.

    I installed Avast 5 Free with default settings. I switched to the secure desktop and tried to run an infected file. Avast deleted the file while in the secure desktop, although Avast showed no user interface notification while doing so. I also tried to download an infected file. Again, Avast stopped it, without any user interface notification. When I switched back to the normal desktop, Avast showed notification of what had happened.

    Unfortunately, AppLocker doesn't seem to be enforced in the secure desktop.
     
    Last edited: Oct 24, 2010
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The behavior I've seen so far supports the hypothesis. While in the secure desktop, I ran Anti-Keylogger Tester. It was able to log keystrokes within the secure desktop. I also set Anti-Keylogger Tester to start in the user's account every login. I then switched back to the normal desktop, and logged out of the account and back in. Anti-Keylogger Tester started automatically as expected. I then turned on its keylogging, entered the secure desktop, typed some keystrokes, and exited the secure desktop. Anti-Keylogger Tester wasn't able to log the keystrokes within the secure desktop.

    So to summarize, it seems that:
    1. Every time you enter a new secure desktop, it's clean from keyloggers, etc., even if you got infected while in a different secure desktop.
    2. If you encounter malware while within a secure desktop, it can affect the current secure desktop and also permanently affect the user account being used. Depending on the permissions of the user account being used, you could get total system compromise.

    Maybe turn on Returnil before using a secure desktop?
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    Interesting tests :thumb:

    In which case you wouldn't need secure desktop, i guess ;)
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Returnil would be used to cure (upon reboot) any infection you get while in the secure desktop, but any keyloggers already present in the system hopefully wouldn't function while in the secure desktop. I didn't test with Returnil yet though....

    I think the closest competitors to this method might be Prevx SafeOnline or KeyScrambler.

    On an unrelated note, I think I'll refer to this program as "Secure Desktop Run As," which is IMHO more appropriate than "User Account Control."
     
    Last edited: Oct 24, 2010
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've tested against Advanced Keylogger from Eltima. Advanced Keylogger didn't log any keys pressed in the secure desktop.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    Excellent :thumb:

    What about screenshots though ?

    See my latest post in - http://www.wilderssecurity.com/showthread.php?p=1772410#post1772410

    Advanced Keylogger from Eltima is a beech :eek:
     
  15. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I set my browser to always run at low integrity level, with DEP, ASLR etc with the help of EMET-2...

    Will my browser running on secure desktop have all the settings?
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Advanced Keylogger couldn't grab any screenshots from the secure desktop :).
     

    Attached Files:

    Last edited: Oct 24, 2010
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Right... "Hey good sir, may I make use of this application?" ... Polite malware... Who would imagine that?

    Polite....

    ... but stupid.

    Imagine I have Spybot - Search & Destroy installed, which to apply immunizations, add or remove autorun entries, etc needs Administrator rights. If I have Spybot to always run as Administrator, then couldn't malware check if Spybot is installed and just run it on its behalf (obviously, without the user even seeing it) and just add autorun entries, and delete antimalware autorun entries?

    Just a tiny example.

    Am I seeing the wrong picture, perhaps o_O
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Secure Desktop RunAs can create a new shortcut but it doesn't modify existing shortcuts or programs.
     
    Last edited: Oct 24, 2010
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I tested Firefox running as a low integrity app and configured it with EMET. When I ran Firefox in the secure desktop, it ran as a medium integrity app. EMET was active for Firefox when run in the secure desktop.
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I tested against 6 of the 7 keylogging tests of Anti-Keylogger Tester v3.0 running in a normal desktop, first with non-admin rights, and then with admin rights, while typing into Notepad in a secure desktop. Anti-Keylogger Tester was unable to record keystrokes in the secure desktop in any of the tests. I couldn't try the JournalRecord Hook test because it failed to set.

    This is perhaps a fine method for online banking using a different browser than you normally use, one with no third-party addons. Activities which have too high of a chance of encountering malware should probably not be done in the secure desktop.
     
  21. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I thought so...

    have you tested isolation softwares like GesWall / Defensewall or Sandboxie?
    did they sandbox/isolate browsers that tries to run in the secure-desktop?

    In a secure desktop session can you open 2 or more programs or just one?

    Thank you for the tests.
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    I didn't test isolation software. You can open more than one program in a secure desktop; in fact you can launch explorer.exe.
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. But, isn't the purpose of this app to give us the chance not to receive any more UAC alerts for apps we constantly use, for example? If I understood it right, every time I want to start Spybot or some other app, I no longer will get any UAC prompts for it, if I choose that way, right o_O Spybot will always run with Administrator rights every time it is run, won't it?

    This is what I'm understanding the app does, besides the secure desktop situation.

    If that's the case, wouldn't the scenario I mentioned before be plausible to happen?
     
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes, the program has two different types of functionality:
    a) secure desktop runas - usage cases #2 and #3 from first post
    b) avoid UAC alerts - usage cases #1 and #4 from first post

    Using your example, suppose malware happens to launch Spybot that then runs as admin. Then what? User Interface Privilege Isolation, explained at New Technologies for Windows Vista, still limits the interaction between the malware and Spybot running as admin.
     
  25. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,574
    I still can't get that to work in a LUA account (with SRP). I still get a prompt by UAC asking for my admin account credentials. I have tried both placing the program in C:\Security folder (set SRP additional path rule to allow it)
    and inside C:\Program Files directory but still the same result. What am I doing wrong?
     
Thread Status:
Not open for further replies.