Dridex returns with Windows UAC bypass method

I didn't say you don't know how to use it, but if you understood the purpose of HIPS, you wouldn't have said that certain stuff, it's very simple. HIPS monitor app behavior so you shouldn't complain about the alerts, and you can even tweak it and make rules to decrease the amount of alerts. Not comparable to UAC, that was exactly the point that Dan was making, alerts about elevation are not interesting when it comes to trying to figure out if some app is malware or not.

Exactly, it's needed on a multiple user system, where other users shouldn't be allowed to modify system settings or to install software. If you're the only user it's not worth it IMO. Especially on a system as heavily guarded as yours. I think there is even less than a 1% chance that you will ever get to see that "unexpected" UAC alert, but keep the faith!

 

I believe certain "enterprise level" HIPS monitor this. But the thing is, HIPS don't care about privilege level, so even if some app runs with the highest rights, it's still being monitored. The cool thing is that HIPS can restrict apps that are vulnerable to exploits, so even if malware like Dridex manages to run via exploit, it will have a hard time doing any damage.

Yes correct, but this can't protect against the easiest way to bypass UAC: namely the user itself. If they download Dridex, and AV says it's clean, why wouldn't they allow it to run? But anyway, I was wondering about this: For people who use Process Explorer/Task Manager a couple of times a day, do they really approve it to run every time?

 

I use various testing utilities constantly that request elevated privileges. UAC is set to "Ask Always."

It doesn't bother me personally. I just use the left arrow key > Enter at the UAC prompt. Takes less than 1 sec.

What cracks one egg, doesn't crack another...

 

You won't get a UAC prompt for Process Explorer unless you run w/admin privileges; obviously some functionality is disabled.

I do agree w/@Lockdown, answering a UAC prompt takes a second. Also it's a yes or no reply versus a HIPS alert which requires careful reading and interpretation to reply correctly. Finally, it is user configurable and can be modified or disabled by the user. So as is, UAC is acceptable.

 

@itman @Lockdown

that is exactly what i keep saying, UAC won't popup unless you do some specific admin tasks and you don't do admin tasks enough to be "annoyed" by it. If you don't do admin task and UAC popup , you can guess something is wrong. not saying sometimes we may click the wrong shortcut and launch an admin tools, UAC popup, just click no, problem solved.

Initially UAC was created to ease the use of admin task (installation included) from SUA instead of sign out and sign into admin account. It was supposed to be equivalent to the sudo command in Linux.

If you take UAC as a malware protection , you are dead wrong, because it was never its main purpose; however because malwares often need admin rights , UAC was assimilated to a malware protection feature and this was heavily relayed by M$ to "advertise" its use.

 

I think what is being missed is that this new Dridex attack is being target at financial institution endpoints; not consumer PCs. It is betting its success on that those endpoints have UAC set at default level for the very same reason @Rasheed187 is complaining about; the security admins don't want their employees answering UAC prompts.

As far as anti-exec whitelisting, the malware will blow right through that since the targeted process is a legit Microsoft code signed system process. The target process is obscure enough that it probably was not defined by Group Policy or SRP.

Finally, no HIPS will cover this for the same reason given for anti-exec whitelisting. And no one is going to create user rules to monitor the execution of every conceivable Windows utility process.

 

exact, and skilled and conscious admins would lock the workstation so the employee won't need to answer any prompt, but we all know that most admin are not much better than Average Joe when it comes to security.

The ideal corporate setup should be that only the productivity softwares installed on the workstation will be allowed to run, browser uninstalled or at least extremely limited. Employees aren't supposed to install softs or go internet , they are here to work.

 

And the UAC-prompt can be prevented with a setting in the local policy. So requests for elevated rights are automatically denied.

 

I believe that is a global policy setting. As such, necessary and required system processes that require hidden elevation would be denied resulting in execution failure.

 

Yes, this is what i mean. It's a setting in the "Local Group Policy Editor".

 

Yes, it's a matter of preference. If people think they are a lot more secure with UAC enabled, that's cool with me. I'm saying that the benefit you get is marginal. Only in case of an exploit attack, you will get to see the "unexpected alert" that guest is so worried about. Nowadays you've got browser sandboxes, ad-blockers and anti-executable/exploit, this will easily block exploits. So it's not worth clicking on those hundreds or even thousands of "expected" UAC alerts a year IMO.

I'm afraid you missed the point. Alerts from HIPS shouldn't be compared to UAC alerts, they both have a different purpose. BTW, let's not forget that malware (like banking trojans and ransomware) can also run without any admin rights. So you will always need security tools like for example a white-listing tool, if you want to truly restrict average users.

 

ummmm...seems legit to worry about unexpected things , instead of expected one

 

Seriously guest, like I said, it's pointless to continue this discussion, since you still don't see understand my point. I won't even bother to explain it once again. And I thought it was quite funny that in some other thread you called someone "way too paranoid".