UAC is going to be useless unless ...

Discussion in 'malware problems & news' started by 3GUSER, Sep 5, 2010.

Thread Status:
Not open for further replies.
  1. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    UAC is going to be useless unless you really know what you are doing

    Back in the early years when Vista appeared I have seen malware than is useless thanks to user account control . Even if it is installs as admin , after restart the sample wants admin rights but is blocked from UAC/Defender as start-ups with admin rights are not allowed
    -http://i.techrepublic.com.com/gallery/186930-469-132.png-
    http://support.microsoft.com/kb/930367

    Now malware started to act different . Not long ago I noticed my first sample that disables UAC (on Windows 7) and upon restart the threat will be able to gain maximum privilages.

    Just I came accross two more samples that also disable UAC if I start them as admin. I am not sure if there is a workaround . Any ideas ?
     
    Last edited by a moderator: Sep 5, 2010
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    This may sound like I'm being a smartass, but, scan your downloads first? I know, "but what if they don't detect it?", you have a good point. But, the chances of a very good AV, along with one or two on-demand scans with others, missing something are low. To get away from that since I know that kind of statement will just bring arguments I don't wish to start, if it doesn't need a reboot, you can always install a new piece of software in Sandboxie or Returnil to see what it does first.

    Were these security programs that were infected with these samples, or were they "stand alone" malware samples you were just testing?
     
  3. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    The newest I got were both rogue programs using MSI to install doing silent install . At the end of installation Windows Action Center reminds you that computer needs restart for the changes of UAC to take effect.

    And when the antivirus/antimalware security has been bypassed , after restart it is malware fun

    I was talking about some protection of UAC settings . I was thinking what if I lock the permission in Registry of my user (for example) to change UAC settings ?
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Hang on, let me make sure I'm reading you right. The malware throws up an Action Center message saying UAC is about to be changed? If that is the case, that should be a big, bright red warning flag to anyone that understands that UAC doesn't need to be changed for any reasonable program. I'm aware some such programs exist, I've ran across them, but I've never let them install when they wanted to do that. They immediately got kicked out the door.

    Off topic, and this may not even be the same thing you're talking about, but I hate MSI files. Programs that are installed like that never seem to want to uninstall correctly. I'm sure that's simply my experience with them, but it sure seems that way. On-topic, there may exist a way to lock UAC from being changed, I simply don't know. It's worth looking into.
     
  5. brosephjames

    brosephjames Registered Member

    Joined:
    Sep 5, 2010
    Posts:
    9
    You said you purposely let the malware run with admin privileges? So presumably you clicked yes on the UAC prompt when you let them execute?

    All the security techniques like UAC, LUA, SRP, etc are designed to prevent malware from running as admin or running at all. They can't really help you once the malware gains admin privileges.

    If software has admin access it can do whatever it wants, including disabling UAC and SRP etc.
     
  6. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    Yes , for the testing purpose , yes . The average Joe would do the same


    I know but I think some settings should be further protected.

    I am gonna try tomorrow if I can protect the permissions of these keys

    The point of this thread is to point how malware has obviously developed (since first Vista UAC appearance) and to hear any ideas of protecting UAC itself .
     
    Last edited: Sep 5, 2010
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    The issue is, and this may show my lack of knowledge here, but it's worth it if I've been wrong, if UAC is at max level, EVERY program you install will result in a UAC prompt. Most of the time, all you get is "This program wants to make changes to your computer". That's not the biggest help in the world.
     
  8. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    Of course not . As soon as the malware sample starts it changes the UAC registry settings to disable UAC . Second or two after that Action center presents you with a prompt to restart the computer for the changes to take effect. You restart and the malware is free to do anything
     

    Attached Files:

  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Ahh okay, read you loud and clear.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you let malware have admin privileges, you've "lost."
     
  11. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    This thread has FAIL written all over it.
     
  12. Martijn2

    Martijn2 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    321
    Location:
    The Netherlands
    That's just plain stupid. Not to be personal, but you are a MCP, so you should know that the moment you give malware admin access your computer is already lost. What's the problem if it disables UAC while it already can do everything else. Even if it couldn't disable UAC, it can already do a lot of damage (keylogging, etc)
     
  13. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    All is not yet lost with a knowledgeable user having a layered security defences: HIPS(to prevent loading of drivers andr lowlevel disk access), firewall(prevention of phoning home), and lite virtualizer(as system-wide sandbox). Putting an application Sandbox to the mix, and you have a security over-kill. :D

    Edit:
    Oopsy! Yes, I agree with that statement. I failed to qualify "Admin privileges". What I thought initially was if malware was executed in an admin account. So obviously if malware will be given admin privileges, he blatantly allowed huge gaping holes or security bypasses which in this case, allow low-level writes to MBR, loading of drivers, etc. What is nice in having a layered security defences even if admin, you'll know beforehand what a malware if executed can do and help you prevent major security blunders.

    But then again, all is not lost, if you have offline image back ups, one's ultimate security. :)
     
    Last edited: Sep 7, 2010
  14. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    UAC with SRP is awesome... IMO :D
     
Loading...
Thread Status:
Not open for further replies.