Using screen dimming software to avoid typing credentials into a fake UAC prompt

Discussion in 'other anti-malware software' started by MrBrian, Oct 21, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    While I was using Dark Screen to reduce brightness on my laptop screen, I noticed that it doesn't dim UAC prompts, assuming that you have UAC set to display its prompts on the secure desktop. It then occurred to me that Dark Screen can be used as a security program. If malware generates a fake UAC prompt, Dark Screen should dim it, whereas a genuine UAC prompt (assuming it's being displayed on the secure desktop) cannot be dimmed by Dark Screen. So if you're using Dark Screen and you see a purported UAC prompt that is dimmed, then it's from malware :argh:.
     
  2. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    cool trick! :eek: :thumb:
     
  3. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    Sorry If a sound like an idiot, But I don't get it..
    Why would malware fake a UAC alert? what would that achieve?
     
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    I suppose clicking a fake UAC alert thinking you were clicking "allow" out of habit may be a trick for clicking a disguised execute, download, etc for malware. May be a way to get the admin password too I suppose.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    In a standard user account, a UAC prompt asks for admin credentials. Thus, malware running in a standard user account could also display a fake UAC prompt in order to get admin credentials.
     
  6. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    So if malware popped up a fake UAC, asking for admin rights...Wouldn't then the "legit" UAC pop up saying its asking for admin rights anyway?
    If the "legit" UAC didn't pop up, It would be a bypass - and if the malware could bypass UAC, why even bother with the fake uac alert? o_O
     
  7. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    i get your point. A fake UAC alert is fake right? no elevated actions would happen since it is a fake and not the real UAC.


    it does make sense if the fake UAC prompt came from some tricky website and allowing it would probably trigger some drive-by download exploit. :D

    I'd notice it right way, since it came from inside the browser :D
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I'll answer with a realistic scenario. You're browsing the web and are hit by a drive-by download that executes. So at this point malware is already running, but it doesn't have admin rights yet. Now perhaps the malware creates a fake UAC prompt asking for admin credentials. If you type the admin credentials, the malware now knows that info.
     
  9. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    good point :thumb:

    but you can also harden UAC settings in GPEDIT so you dont need resources for screen dimming software running in realtime

    switch to the secure desktop when prompting for elevation
    prompt for credentials on secure desktop.
    require ctrl+alt+delete
    require trusted path for credential entry
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Good point :). There is a problem with this though: ctrl+alt+delete is also required in UAC prompts where credentials are not asked for, which is a nuisance.
     
  11. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    The only ever prompt by UAC i've been asked is Yes\No, I haven't had to type in something?
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    That's probably because you're using an admin account. In a standard account, UAC prompts ask for credentials.
     
  13. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    ah! I get it now :oops:
    thanks, I knew something wasn't making sense. :D
     
  14. wat0114

    wat0114 Guest

    Right, which also means any malware launching in user space, if memory serves?


    Also, I see ctrl-alt-del only for login, or is it only for specific UAC configurations?
     

    Attached Files:

    Last edited by a moderator: Oct 21, 2010
  15. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Hitman Pro and Prevx identify it as medium risk malware.
    Thanks for the info but I'll stick with what I've got.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  17. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    you can use "PROMPT FOR CONSENT ON SECURE DESKTOP" instead of CREDENTIALS to reduce the nuissance :)

    never mind the ctrl+alt+del its only for logon, my bad :D
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes, and that's the default for admin accounts. It's a nuisance IMHO to press ctrl+alt+delete when in an admin account just to be able to give consent.

    You were correct originally - see my last post.
     
  19. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    ok. I always use admin these days and this is my UAC settings :)
     

    Attached Files:

    • 1.PNG
      1.PNG
      File size:
      23 KB
      Views:
      13
  20. wat0114

    wat0114 Guest

     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
     
  22. wat0114

    wat0114 Guest

    Okay, I didn't know it was out there.

    With the latter approach, isn't the addition of a 3rd party application considered a negative trade-off? At least the former approach uses what's already built-in to the O/S.
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    It is. I tried the ctrl+alt+del setting awhile ago, but quickly got rid of it because ctrl+alt+del is then required just to dismiss a consent-only UAC prompt when I'm in my admin account, which is usually where I encounter UAC prompts.
     
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  25. wat0114

    wat0114 Guest

    Interesting link, thank you. Something occurred to me earlier; how would a malware capable of displaying a fake UAC alert on a dimmed (secure) desktop know what my account's picture icon looks like, as well as the name I'm using for my administrator account (I don't use "Administrator" because it's used by the built-in administrator account)? It would have to get these two conditions right when producing and displaying its fake UAC alert. Is this just a mere formality by this type of malware?
     
Loading...
Thread Status:
Not open for further replies.