Dridex returns with Windows UAC bypass method

https://threatpost.com/dridex-returns-with-windows-uac-bypass-method

 

Another example of malware using a legit Windows process maliciously.

 

I wonder if this bypass works even when UAC is set to the highest (and most annoying) level. But anyway, who cares about UAC, this trojan is easily stopped by HIPS.

 

I don't think so.
The trojan is using Recdisc.exe for gaining more rights.
Recdisc.exe is requesting administrator-rights and if i look into the manifest of the file, i see: <autoElevate>true</autoElevate>
Now, if you have UAC at default settings, Recdisc.exe needs no UAC-prompt to get administrator-rights, and "Dridex leverages this feature to bypass UAC"
But if you set it to the highest level, you should get an UAC-prompt.

 

Most UAC bypasses exploit some system application that doesn't need elevation approval if UAC is set at default level. As soon as UAC is set to max, those techniques usually don't work any more.

 

Just tested on Win 10, same behavior. UAC set at default - no prompt. UAC set at max - prompt.

Perfect example of why security experts recommend setting UAC to highest level.

 

oh HIPS are built-in Windows !!!! great news ! tell me how to enable it... /sarcasm

exact, UAC shouldn't even have several levels, it should at max by default but whiners rules the world, they are too lazy to click a prompt 3 times a day...

 

That's not the point is it? Like I said, most users will probably click on "yes" if they really want to run some app and AV says it's clean, so UAC and SmartScreen won't help. What does help is HIPS/BB alerting about or auto-blocking suspicious behavior. But anyway, I'm not talking about other users, I'm talking about my own system.

No, these whiners know that it's basically fake security. Remember, UAC alerts are about the 1% of the time it's unexpected.

 

if it is your system , so it is your opinion on one system, and i respect that; but we are not here to praise/bash a feature working on a specific system (i think nobody cares), but in its general purpose in a out-of-the-box system.

you know, parachutist have a backup parachute in case the main one fall in the 1% chance of malfunction. i think they will still keep it even if they know it will maybe never be used

 

I do commend @mood for highlighting the auto UAC elevation feature in Windows since it is something not commonly discussed.

Noteworthy is the new and persistent use by malware of using Windows built-in processes against itself. Running UAC at highest level is an effective alert mechanism to such activity occurring. What is needed is better end user education into UAC's use and what activity to be suspect of.

 

exactly, the user is the first cause of infection, and weakest link. You can't just give a tool to someone and say "go use it" if you don't teach him first how to use it.
How many Average Joe read the help files or MS articles? almost none...

you can't blame a tool's effectiveness if the user don't know how to use it. And here i see many people using security tools without knowing how to do it properly then blame it because they get issues.

 

Definitely.

These "UAC bypasses" can be mitigated with setting UAC to maximum.
One example is "UACMe":

= Now here we have this "feature" again: "AutoElevate"

What is the requirement of this tool?

= These bypasses need UAC set at default settings
And how can the user protect himself against the auto-elevation of files (+and the abuse of it)?

= UAC set to maximum and full awareness about the UAC-dialog should be enough.

 

You seem to forget about the fact, that parachutes and condoms (as mentioned in the other threat) don't annoy the user with useless questions. So bad comparison if you ask me. Why do you think that M$ has made UAC a bit more "user friendly", it's because they are afraid that if they didn't, a lot of people would simply disable it. And yes, in the standard UAC alert mode, it's quite easy to bypass.

 

@Rasheed whatever...you play with words... if MS worried, they wouldnt even allow UAC to be disabled...you think to simple. MS reduced UAC effectiveness because of the people whining about its "annoying factor" , and they want satisfy the whining noobs that dont even understand that UAC is to help them be safer.

 

You seem to keep discussing just for the sake of it. Why do you think M$ allows to disable UAC? Because the whole world would complain about it, this has already happened when Win Vista was launched, so what's your point? The fact is, it's annoying to a lot of people, and hardly provides any true security. LUA only makes sense on a multiple user machine, where only one person wants to be admin. And if you want to truly secure noobs, take the decision whether to run some app out of their hands:

https://www.wilderssecurity.com/thr...vement-in-security.391629/page-3#post-2648982

 

how annoying?... you need to launch admin tasks every 5mn?

im only user and i use SUA because it is the basic of security (if you ever used Linux you will understand why i use it) , it reduce the effectiveness of a potential infection. Also, don't forget registry & folder virtualization.

but i guess you dont care , you feel safer with an HIPS , so be it.

 

This might be one of the reasons, why MS had introduced the auto-elevation of executables.
UAC is not max by default + auto-elevation = less UAC-prompts. The user is happier, but malware-authors are happier too.

If malware can easily get admin- or even system-rights if UAC is set to default, after setting UAC to max the user now get the UAC-prompt and can make a decision.
And if it can't get admin-rights easily, i would see this as an increase of security. But for some people the annoyance-factor is higher now.
Or it can be disabled completely, it's up to the user:

But a few UAC-dialogs a day is not very annoying for me, so i leave it enabled.

As malware is not commonly signed the user can harden the system a little bit more with preventing the elevation of unsigned executables.
Now the user doesn't even have to make a decision at the UAC-prompt, because it is not displayed and the unsigned executable is now blocked automatically
(...but if the unsigned malware is executed from an elevated application, it's not automatically blocked and the above hardening has no effect)

One more little mitigation is to disable the "Installer-detection" of UAC.
So the user can decide (and not UAC) if an installer or a file needs elevation or not.
(...sure, an installer might need admin rights, but the user has now more control after disabling of the Installer-feature.
Now the user doesn't see the UAC-dialog after simply executing install.exe [this doesn't apply to files with a <requestedExecutionLevel>-manifest], only after running install.exe with "Run as Administrator")
More information about this feature:

 

@mood well said

 

I currently have shortcuts on my desktop for about 10 apps that can't function correctly without admin rights, think of system monitoring and tweaking tools, no way I'm going to approve them to run, even if it's only twice a day. And I also install apps every week, no need for UAC, especially since I'm already using a white-listing tool, plus have to respond to HIPS alerts.

But again, those HIPS alerts make sense, because they tell me if some app is acting suspicious. UAC just tells me that some app needs admin rights, not that interesting, especially because if you click on no, you can't install software. But I believe your brain is wired in a different way, so you are probably missing the point. It's probably best to stop discussing this subject.

 

Yes exactly, everybody made fun of Win Vista because of UAC. The idea behind it is a good one, but it's not for everyone, too annoying and it doesn't give that much security benefit on a single user machine. In fact, even on a multiple user machine running as ADMIN, it's quite easy to stay safe with the help of anti-exe, sandboxing and HIPS (auto-block). So it never made sense for me to run as protected admin. So that's where all these "LUA/UAC is crap" comments are coming from.

 

i surely have the same tools as you, and i use them once a day , and once launch i let them run in the background until im done with them. one click will not break my finger...

Basically it is clear you don't understand (or don't want understand) UAC ..and seems you have bad memory so i will repeat : UAC purpose is to prevent unwanted elevation, if it is an installation , it is a wanted elevation so obviously you will allow it...
you say you download a known app, check it via reputation tools, then you rather use an HIPS with dozen of pointless prompts to be sure the legit apps you just checked via reputation is still legit and doesn't have a hidden secret suspicious mechanics in it... and you are annoyed because UAC ask you one prompt, you are so funny lol.

Indeed our brain are wired differently, i use my knowledge and tools given in my OS to ensure sufficient and efficient security (ask @Windows_Security , we share the same principles) i wonder what you will do when you won't have any 3rd party tools...still disabling native security features? (i see you always elude that question )

As you say pointless to discuss anymore.

 

Although I agee with @guest, I also agreed to disagree with @Rasheed187 (and want to keep it that way for the sake and well being of the entire forum population).

 

Here's another way to look at it.

Yes, it is theoretically possible to use an anti-exec, HIPS, etc. to monitor every process that performs hidden privilege escalation. To effectively do so, one would need detailed knowledge of all Windows and third party processes that do so. Additionally, rules would have to be created to allow legit processes to do such escalation again requiring detailed knowledge otherwise, you will end up with the same situation caused by running UAC at max. level; that is constant alerting. Finally, most HIPS's do not have the capability of monitoring for privilege escalation per se. So what you are monitoring is the startup of the target process and not that a source process is performing privilege escalation.

Then there is the final issue that allowed legit processes can be modified by malware via memory tampering resulting in a bypass of all anti-exec or HIPS rules that were created for legit processes. So now we have to create anti-exec and HIPS rules for all our allowed processes to prevent those from being tampered with. These rules in turn will conflict with legit processes that do process injection or modification. So we have to create exceptions for those. Etc., etc.

There is a lot of blame that can be placed on Microsoft for allowing obsolete Windows utility processes to exist that can be exploited by malware.

In a perfect Windows world, security would never be a concern to the end user since it would be built-in to the OS with it automatically making all the proper decisions in regard to blocking all malware. That day as we all know will never happen because the PC architecture itself is inherently insecure.

 

It's not just about the amount of alerts, it's about if it makes sense to see the alert. And I don't trust any app blindly, otherwise it doesn't make sense to use HIPS. You seem to know nothing about HIPS, at least I get that impression.

No it's you who doesn't understand. UAC isn't even a true security feature, and normally speaking you should never see any unexpected UAC alerts, if you do, then your security tools and brain have failed.

It's totally irrelevant this question, go think about this.

 

i used them since ages, i was closed-beta tester for Emsisoft Online Armor, but yes i don't now how to use a HIPS, gimme a break...

FINALLY !!!!! YOU GOT IT !!! we can celebrate !!!!

Elevation blocker , not malware blocker !