Using screen dimming software to avoid typing credentials into a fake UAC prompt

While I was using Dark Screen to reduce brightness on my laptop screen, I noticed that it doesn't dim UAC prompts, assuming that you have UAC set to display its prompts on the secure desktop. It then occurred to me that Dark Screen can be used as a security program. If malware generates a fake UAC prompt, Dark Screen should dim it, whereas a genuine UAC prompt (assuming it's being displayed on the secure desktop) cannot be dimmed by Dark Screen. So if you're using Dark Screen and you see a purported UAC prompt that is dimmed, then it's from malware .

 

cool trick!

 

Sorry If a sound like an idiot, But I don't get it..
Why would malware fake a UAC alert? what would that achieve?

 

I suppose clicking a fake UAC alert thinking you were clicking "allow" out of habit may be a trick for clicking a disguised execute, download, etc for malware. May be a way to get the admin password too I suppose.

 

In a standard user account, a UAC prompt asks for admin credentials. Thus, malware running in a standard user account could also display a fake UAC prompt in order to get admin credentials.

 

So if malware popped up a fake UAC, asking for admin rights...Wouldn't then the "legit" UAC pop up saying its asking for admin rights anyway?
If the "legit" UAC didn't pop up, It would be a bypass - and if the malware could bypass UAC, why even bother with the fake uac alert?

 

i get your point. A fake UAC alert is fake right? no elevated actions would happen since it is a fake and not the real UAC.


it does make sense if the fake UAC prompt came from some tricky website and allowing it would probably trigger some drive-by download exploit.

I'd notice it right way, since it came from inside the browser

 

I'll answer with a realistic scenario. You're browsing the web and are hit by a drive-by download that executes. So at this point malware is already running, but it doesn't have admin rights yet. Now perhaps the malware creates a fake UAC prompt asking for admin credentials. If you type the admin credentials, the malware now knows that info.

 

good point

but you can also harden UAC settings in GPEDIT so you dont need resources for screen dimming software running in realtime

switch to the secure desktop when prompting for elevation
prompt for credentials on secure desktop.
require ctrl+alt+delete
require trusted path for credential entry

 

Good point . There is a problem with this though: ctrl+alt+delete is also required in UAC prompts where credentials are not asked for, which is a nuisance.

 

The only ever prompt by UAC i've been asked is Yes\No, I haven't had to type in something?

 

That's probably because you're using an admin account. In a standard account, UAC prompts ask for credentials.

 

ah! I get it now
thanks, I knew something wasn't making sense.

 

Right, which also means any malware launching in user space, if memory serves?

Also, I see ctrl-alt-del only for login, or is it only for specific UAC configurations?

 

Hitman Pro and Prevx identify it as medium risk malware.
Thanks for the info but I'll stick with what I've got.

 

Yes.

See http://www.windowsitpro.com/article/security/using-OTS-elevation-with-UAC.aspx.

 

you can use "PROMPT FOR CONSENT ON SECURE DESKTOP" instead of CREDENTIALS to reduce the nuissance

never mind the ctrl+alt+del its only for logon, my bad

 

Yes, and that's the default for admin accounts. It's a nuisance IMHO to press ctrl+alt+delete when in an admin account just to be able to give consent.

You were correct originally - see my last post.

 

ok. I always use admin these days and this is my UAC settings

 

Okay, I didn't know it was out there.

With the latter approach, isn't the addition of a 3rd party application considered a negative trade-off? At least the former approach uses what's already built-in to the O/S.

 

It is. I tried the ctrl+alt+del setting awhile ago, but quickly got rid of it because ctrl+alt+del is then required just to dismiss a consent-only UAC prompt when I'm in my admin account, which is usually where I encounter UAC prompts.

 

User Account Control Prompts on the Secure Desktop

 

Interesting link, thank you. Something occurred to me earlier; how would a malware capable of displaying a fake UAC alert on a dimmed (secure) desktop know what my account's picture icon looks like, as well as the name I'm using for my administrator account (I don't use "Administrator" because it's used by the built-in administrator account)? It would have to get these two conditions right when producing and displaying its fake UAC alert. Is this just a mere formality by this type of malware?