UAC Impact On Malware

Discussion in 'other security issues & news' started by Thankful, Mar 5, 2013.

Thread Status:
Not open for further replies.
  1. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
  2. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    From the article:

    Regarding this UAC pop-up it generates, this is why if one has Pro or higher versions of Win 7 available, they should enable in Group policy settings:

    "Require trusted path for credential entry"

    http://www.windowsitpro.com/article/security/using-OTS-elevation-with-UAC-125155

    also here:

    https://www.wilderssecurity.com/showpost.php?p=1959147&postcount=1
     
  4. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    The point in the article seems to be different: it isnt about a fake request...

    So it seems that the UAC prompt will be a "legit" one, from InstallFlashPlayer.exe.
     
    Last edited: Mar 5, 2013
  5. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,342
    Location:
    USA
    I gave this a try on my Protected Admin setup and has a slight inconvenience but it is a nice option. Thanks wat.
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    you're welcome!

    You are right, my oversight. I guess what puzzles me, then, is how it executes in the first place?? From the article, the author executes it by double-clicking on it. So my question is how does it attempt to execute in a typical situation?
     
  7. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    I think i understood how the infection works, but i also dont know the answer to your question... maybe some exploit initiates the execution? o_O

    Anyway this shows that using automatic update in Flash Player (and some other applications, probably) can also be a dangerous thing. It wouldnt be unexpected to see a UAC prompt to update Flash Player, Adobe Reader, etc. if one have automated updates turned on.
     
    Last edited: Mar 6, 2013
  8. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    In the other hand, seems that anti-exes and firewall/hips whitelists can be abused because they will automatically allow to launch "bait" exe...
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    In my setup using SRP and Jetico combined, it won't allow the Flash setup executable nor the dll to launch from the temp directory or any other user directory for that matter.
     
    Last edited: Mar 6, 2013
  10. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    The DLL search-order vulnerability, yes. I put up a quick guide to fixing that in this thread, for those who are interested: https://www.wilderssecurity.com/showthread.php?t=342865

    Sophos has several write-ups on ZeroAccess, referenced in the article in the OP. Sophos notes these attack vectors in their technical papers: exploit kits (euphemised as drive-by downloads) and warez/keygens/cracks. They also note that ZA has transitioned from a kernel-mode rootkit to user-mode.

    Regarding UAC: in Windows 7 and Windows 8, UAC is not maxed-out for Admins, but it does get maxed out for Standard Users. This leaves the "Protected Admin" vulnerable to some types of privilege-escalation attacks, and I believe ZA's one of the guilty parties but I'm not going to dig for that... been a long day already. Suffice it to say, setting UAC to Always Notify for the Admin-level account(s) is the safe bet.

    If you want your Standard User accounts to be extra-safe, one dire option is to go into Local Security Policy (secpol.msc) and set their elevation option to Automatically Deny. This requires Admin work to be done with a Fast User Switch to the actual Admin account. The benefit of doing that, as opposed to elevating a process using UAC from within the Standard User account, is that the elevated program runs under a different user's context and would be hindered from interacting with the Standard User's other running programs/processes. However, for most scenarios the hassles won't be worth the hypothetical benefits.
     

    Attached Files:

    Last edited: Mar 7, 2013
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Has anyone on here actually had UAC prompt them when encountering malware in the wild? I haven't, but then again I don't believe it would have ever made it past Appguard on my machines.
     
  12. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    Sort of, in the form of Protected Mode warning prompts from IE. PM is joined at the hip to UAC.
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    The part of the exploit process that confuses me the most, still leaving me with unanswered questions, is how, exactly, does the dropper generate the UAC prompt?? From the article:

    I don't get how the UAC popup is forced. Also, if I haven't deliberately downloaded an Adobe installer when the UAC popup appears, I'm going to be really suspicious to say the least :eek:
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Interesting article, thanks.

    The dropper downloads and executes a legit flash installer, so the UAC pop-up looks normal, but because of the DLL vulnerability, the zeroaccess DLL is loaded into the flash installer. Most folk wouldn't get suspicious when they get a UAC pop-up with Adobe listed as verified publisher so they click yes and it ZA's mission is complete. In this case it uses the flash installer, but I guess there are lots and lots of installers with the DLL vulnerability.
     
  15. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    edit: ^ beat me to it :)

    The dropper launches a legit Adobe file that needs a .DLL file with a certain name. Windows says "ahhh, this awesome Adobe-signed .EXE file needs blah.DLL, now where can I find one of those... OH LOOK, there's one right here in the same directory as this .EXE file! Unless my owner set CWDIllegalInDllSearch to FFFFFFFF, I'm totally free to use this copy, instead of going allllllll the way to System32 for it."

    Using the CWDIllegalInDllSearch registry entry set to FFFFFFFF (0xffffffff) lets you force Windows to look for the real blah.DLL file, which is in System32 and isn't just evil.DLL renamed to blah.DLL (we hope).
     
  16. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    mechBgon,
    i dont know if its common, but wouldn´t that break the functionality of some installers?
    Anyway it seems a easy and effective solution.

    (ps: i like your site, i´ve learned from there how to use parental controls to whitelist .exe´s :thumb: )


    Edit: nevermind, i´ve just read this other post that teaches how create exceptions.

     
    Last edited: Mar 8, 2013
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Thanks for the explanations :) Okay, so i guess the dropper itself is coded somehow to get itself to execute in the Temp directory? Again, if one doesn't deliberately download an Adobe Flash installer, they should be highly suspicious of this UAC popup.
     
  18. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288

    That´s true, unless the user have chosen during Flash Player install the option to automatically update (i think that is the default option, i can´t check it right now) :/

    An option to avoid that scam would be the use of third party software to check for updates (like secunia, or fillehippo update checker), because that way the user knows that the only time he should see a prompt is when he manually/deliberaly check for updates...
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Good point, you are right, that is the default setting. Mine is set to never notify.

    That is a good option. I just look here at Wilders for update notifications from the good folks who provide them :)
     
  20. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    You'd think so, but I have the CWDIllegalInDllSearch locked down on the computers I maintain, and installers work normally. I have an older image-editing program I like, and it did need an exception added to the Registry or it would hang on launch, but that's the only fallout I've personally encountered so far in my little home/SOHO environment.

    Yes, and I speculate that Microsoft is just reluctant to change it because it would break so much old third-party software at once that their phones would catch fire :)

    Thanks, I'm glad it's useful :) The SRP page is twice as popular as any other page on my site, even the security guide.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.