Malware which bypass UAC

Can a malware bypass User Account Control introduced with Windows Vista?

 

Short answer: yes.

 

There are anti-UAC tools.
it look like packer tools.
anyone use this tool and any malware can bypass (which is pocessed)

 

Anything can be bypassed with the right tools. UAC is particularly effective against rootkits. I lost the link unfortunately, they were testing some applications for rootkit detection, and in order to carry out the tests with Vista they had to turn off UAC as it was blocking them all (the ones in the test bed anyway).

IMO one the best security features introduced with Vista, like everything else it can't stop everything, but it is another hurdle for malware to deal with.

 

and the long one?

These packers are crappy software coded in visual basic, and they don't work, because they block only writing
in system directory.
I've never seen an itw malware which bypass UAC without trigger an UAC prompt, and the UAC virtualization feature.

 

.
The weakness of UAC is the same as any security feature that requires user input. The user either doesn't take the time to evaluate the prompt or can't determine the correct response and clicks "allow". But, I've not heard of a malware that can truly bypass UAC, meaning it can get on the system and corrupt system files without activating a prompt. FWIW, I do PC support and to date I have not seen a severely compromised Vista PC. All the systems crippled and destroyed by malware are running XP.

 

So UAC does help afterall? It's actually the first thing I disable, even in Win7. Does disabling UAC make the system even more vulnerable than running Windows XP?

 

Hey raven211,
so your disabling one of the most useful protections?
what type of account do you use?
i surgest you turn it back on and get used to it.
if you get alot of prompts its probaly since the program in question isnt designed properly.

with UAC enabled i can use a standard user account everyday and if i want to do admin stuff i get a prompt type in my password do admin stuff without compromising my security or switching accounts.

if malware wants to access system folders a uac prompt will appear (if uac is enabled) if your just browsing the web and you get a uac prompt you should click on cancal if your unsure.

 

So why is any security software needed in Vista, if I keep UAC on, if it can´t be bypassed and only use and install trusted software?

 

I believe more in security software to be honest - has proven its effectivity in comparison.

 

why not have both. I see no reason at all to disable UAC.

its like getting a new house with a hitech security,body guards,guard dogs and then leaving your back door wide open.

 

There are undesirable things that can happen without necessarily triggering a UAC prompt. One example is malware that sends all of your documents to a remote location.

 

My documents folder is about 3-4 GB. My guess is that it would take a long while to upload it somewhere. Would this operation go unnoticed while you are operating your computer?

 

Maybe or maybe not. The malware, instead, could also have encrypted or otherwise tampered with your documents without a UAC prompt. Or, do keylogging and send the results out without a UAC prompt. The point is that preventing system compromise isn't necessarily sufficient.

 

I think the short answer would be no.

AFAIK UAC is like an anti-executable tool.
This is extremely effective at stopping real-world malware threats, if they are downloaded by internet browsing , as the earlier posts in this thread argue.

If malware cannot be executed on a PC , - it cannot "do" anything.
It cannot damage your system, or send personal data out of it.

 

I guess I can be classified as malware then, cause I disabled UAC

 

It's not malware you need to concern yourself with.. its human error, clicking YES YES YES to everything.

That is wht UAC is pretty useless, because users give it permission no matter what.

 

This not always the case. If you are starting a process, be it opening a program or installing something from a secure source, you would expect UAC to prompt you about it. But if the prompt comes without you doing anything, then perhaps I would deny any further operation pending verification. To deny access or stop any process is not irreversible (a matter of minutes); to get infected you might need the time to restore your system if you have an image (30 minutes), personal data theft is a one way road.

As pointed out by Victek123 post #6, and confirmed by a MS study, Vista seems to be less compromised than XP statistically speaking.

 

How about using some Flash or Adobe PDf Javascript vulnerability? It would still stop to UAC prompt?

Does anybody know for a fact any real malware capable of bypassing UAC and still doing its work (keylogging, snapshots, data theft) without UAC prompt?

I started to think, that maybe something like UAC+PrevX3 free monitoring (for detailed information about threats) and Defence Wall would be enough for pretty much complete security in Vista for normal use (installing only trusted software).

 

I think your on the right track.
I'm looking into this question myself, I posted a question about the difference between javascript and executables here recently.

For internet threats you have :

1) Browser exploits ( Browser code itself has flaw )
2) Plug-in exploits ( Adobe , Flash , Java , main ones , code in them has flaw ).

In both these cases javascript is allowed to do more than it was intended to do , and run in your local system.

However, although in theory Javascript can do X on your system, in practice most real world malware copies an executable (exe, dll ) to your file system to do its "work".

So an anti-executable program will alert you to that. So if you get a pop-up during normal browsing something is up.

If you keep 1) & 2) up to date then the real world risk is a lot less.

Then the you have only 2 internet vector threats left.
a - a known unpatched vunerabilty in your browser or plugin
b - an vunerablity which is known to malware writers but unknown to writers of vunerabilty listings.


a) can be checked with google searchs etc. Opera for example has a very low number of a).

b) well that is the question !
This is the only internet threat vector that is left to guard against.
I asked the question " was there ever a genuine 0 day threat" here recently , have a look through that thread.

 

From my point of view, UAC is reactive rather than proactive. That is, it does not prevent malware from getting onto the system, but alerts if the malware attempts to make changes to the system.

This is analogous to a house with a hole in a window screen through which flies can enter. Rather than fix the hole, the owner puts fly traps inside. But suppose the flies avoid the traps and fly into the kitchen to feast on the plate of cookies left on the table.

This illustrates MrBrian's point about programs that can do things without making changes to the system.

Here is an illustration from some years ago:

http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208803634

Now, prevention from this trick is obvious:

1) Secure policies in place regarding USB

2) Protection against the intrusion of unauthorized executables.

It seems to me that the emphasis should be in taking care of all of the potential entry points for malware to sneak in, as Joeythedude has suggested above.

That covered, why the need for UAC?

I wouldn't say to disable it, but would caution against thinking that it takes care of protecting against all malware attacks by remote code execution.

After all, I wouldn't want some trojan to steal my photographs of Aunt Minnie!

----
rich

 

Because those protections are never perfect. I don´t say UAC is perfect either, but still looking for facts about malware capable of doing its bad work without UAC prompt.

Of course, the less experienced the user, the less UAC helps, because less experienced users are much more easily tricked to allow access, where experienced users probably wonder why UAC prompts in this situation. So of course UAC is not any answer to security problems for masses.

But for example I use Norton UAC and don´t see UAC prompts so often, so I would probably wonder about UAC prompt appearing in situations where I don´t expect it.

 

UAC is not that hard to understand how it works, and I'm not talking about technical details, but it's simple way of working.

UAC will prompt alerts in certain situations, such as:

- The user starts some Operating System feature that requires administrative rights. Then, the user allows it.

- The user start one of his/her applications, which for certain tasks may require administrative rights. The user allows the action.

- The user gets a prompt out of nowhere. The user didn't start anything that could require such prompt. The user cancels it.

My family is running Windows Vista in normal user account with UAC enabled. In all their daily tasks, no UAC prompts, unless they start the security tools to update them, which something only update using administrative rights. Other than that, no prompts. Normal day. No hassles.

But, should an alert come, and they didn't start anything, then, cancel it.

At the beginning, for some user not knowing what UAC is all about, may be hard to figure out in what conditions an alert will be given. But, I believe that most shops selling computers, don't even enable UAC, because it will be a way of people getting their systems infected and go back there sometime later and pay them to clean their systems.
That's what happened with my family's system. UAC came disabled, and no normal user account set up. They were running in admin. account.

If the people who set the systems, tell the users how something simple as UAC works, then it is a great security asset. Its like a motion detector. It won't prevent something from getting in, but will let the user know that something is about to do something, which could be harmful.

But, I guess that the number of people teaching others about something that is easy to understand is very small. Its all a business, by the end of the day.

 

In the early stages of Windows 7 testing, concern arose about a demonstration that disabled UAC, and the possibility that a trojan could incorporate this trick and then have complete access to the user's system.

I argued in another forum that it was never demonstrated that this code could successfully install on a system with properly configured Software Restriction Policies, among other things.

Note Microsoft's response to this scenario:

Microsoft’s Response To Windows 7 UAC Criticism
http://windows7news.com/2009/02/05/microsofts-response-to-windows-7-uac-criticism/

Microsoft Does Listen: Changes UAC Behavior In Windows 7
http://windows7news.com/2009/02/06/microsoft-does-listen-changes-uac-behavior-in-windows-7/

This refers to my comment about protecting against remote code execution exploits where malware can intrude. While I did not use the term "perfect," I have yet to see a web-based exploit that can penetrate a properly protected system to install/run malware.

Part of keeping up with computer security is watching for exploits to see how they work, then evaluate your own protection to see if you are covered. Sometimes it takes some digging to get the information, but it's the only way to know for sure what is going on.

Let's take the on-going PDF exploits. Adobe just released another advisory. F-secure has recorded more than 2000 malicious PDF files in the wild. They infect by

1) choosing to open a PDF file in an email attachment

2) drive-by download from a web site.​

Let's eliminate the first attack vector, since hopefully everyone has sound policies in place about opening email attachments.

So, for the drive-by attacks: Can PDF exploits bypass UAC? What does a PDF exploit do? How does a PDF file infect a computer?

Most of the articles about the PDF exploits include something like, "Just connecting to the web page triggers the PDF exploit and malware is served up onto the computer."

Not much help.

Worse, in another forum, a Firefox user was hit by this exploit. How can that be? Firefox has issued no advisories/fixes for anything like this.

Worse #2, a recent variant of PDF exploits went unpatched by Adobe for several weeks, causing all sorts of panic in many places. The cry went out, "Change to a different Reader."

In looking for web sites to test, several would not trigger the exploit on my version of the Reader. Finally, I found one that did -- I had downloaded Firefox to test to discover what was going on.

It turns out that besides the obvious -- that an unpatched version of AcroReader is required -- there are at least four hurdles for this exploit to jump in order to be successful, before it even reaches UAC territory. This is a summary from earlier posts in other threads.

First Hurdle : several analyses pointed out that scripting is necessary for the exploit even to start. Here is typical code:

Code:

<[COLOR="DarkRed"]SCRIPT language="javascript[/COLOR]">
        
function PDF()
{
	for (var i=0;i<navigator.[COLOR="DarkRed"]plugins[/COLOR].length;i++) {
	
	if (name.indexOf("[COLOR="DarkRed"]Adobe Acrobat[/COLOR]") != -1) {
			
		[COLOR="DarkRed"]location.href = "spl/pdf.pdf[/COLOR]";
PDF();
</script>

So, block scripting, End of Threat.

Today's browsers offer site preferences where you can keep scripting disabled globally, yet enabled on your trusted sites. OK, you can argue that even trusted sites can be compromised - with SQL injection, for example. Fair enough. On to:

Second Hurdle: The exploit requires that the Acrobat Plugin be installed/enabled in the browser. You can see that specified in the code above. The plugin allows the PDF file to display directly in the browser automatically with no interaction from the user:

​

Please note that in my test, this remotely executed code using a plugin bypassed the normal Download setting in Options:

​

Browsers allow for controlling plugins. Here is Firefox:

​

If the plugin is disabled, then the browser will prompt for the download:

​

This is certainly the safest way with dealing with documents on the web: Prompt for Download. Since this is not a file you went looking for, CANCEL. End of Threat.

OK, so the user doesn't have plugins disabled. On to:

Third Hurdle: Where does this download come from? The location is specified in the code above - a file on the malicious server.

Now that the PDF file is on the computer, what next? Where is the malware? It turns out that another connection to a web site occurs to retrieve the malware.

Question: what application does the exploit use to automatically connect out to the site to retrieve the malware? Normally it is the browser, but in this case, we are misled. It is Acrobat Reader that calls out for the download. The URL to download is buried in the code of the infected PDF file, which will execute in a vulnerable version of the Reader.

So, your firewall with outbound application rules will flag this immediately, for surely, you have not granted AcroReader free access to the internet:

​

Since you did not start AcroReader, much less an outbound connection, DENY. End of Threat.

Now, it is evident why a Firefox user was infected. This is not a browser exploit, rather, a Plugin or 3rd-party Application exploit, for it works also using Opera. The browser is just the mechanism to download the PDF file. No browser code is being exploited

Yet there is still another requirement to satisfy,if plugins are enabled and the PDF file starts automatically, and there is no firewall rule preventing AcroReader from calling out for the malware:

Fourth Hurdle: The malware must be able to download and install with nothing blocking. There are many solutions:

Code:

[CENTER]load.exe
Sunbelt
4/17/2009
InfoStealer.Snifula.a[/CENTER]

End of Threat Fourth Time!
​

So, the secrets are revealed: this is just another remote code execution exploit to get a trojan onto the system, using a PDF file as the trigger in this case.

Would this trojan, load.exe, bypass UAC? Who knows. I don't use Vista/Windows 7, nor do I let malware run, since I'm not set up to test. I just show how easy it is to prevent malware from installing.

Anyway, suppose this InfoStealer doesn't make changes to the system, as MrBrian suggests. UAC would never even know load.exe had intruded and done its dirty work.

Rather than taking time to speculate on what might happen, it seems to me that time is better spent researching the expoits in the wild and insuring that you have proper policies/security products in place to prevent them from intruding in the first place. In this case,

1) be in control of how you handle scripting in your browser

2) make sure that documents on the web cannot start automatically - disable plugins and let the browsr Prompt to Download

3) firewall that has application-based rules for outbound connection

4) security to prevent the intrusion of unauthorized executables.​

regards,

----
rich

 

I suggest reading a 2007 paper from Symantec titled "The Impact of Malicious Code on Windows Vista".