Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tricking Vista's UAC To Hide Malware

Posted by kdawson on from the protective-coloration dept.

Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.

4 of 221 comments (clear)

  1. Re:Importance? by Asztal_ · · Score: 2, Informative

    I guess if you didn't notice, it's possibly because you knew what you were doing at the time and just clicked allow/continue without second thought. Or maybe you just didn't install/run unsigned software, which would generally be a good idea anyway.

    This is essentially allowing a trusted program (RunLegacyCPLElevated.exe) to load and execute untrusted (unsigned, etc) code in its own, trusted, context... I don't see how that can possibly be secure, or how they can say it's not a problem. The obvious choice to me is either to display a notification when a "trusted" process running with full privileges dynamically loads an untrusted DLL (then again, that might get annoying, in which case they could have implemented some sort of flag in the executable's manifest meaning "this program may link with untrusted code, if it does at some point do that, then afterwards treat it as unsigned"). N.B.: I could be talking out of my arse here.

    For reference, sometimes it just asks you if you want to allow an unnamed program - that's the orange dialog with the choice "allow/deny". It's not digitally signed, or the signature isn't trusted, so there is no reason to trust who it says it's from (I'm not saying digital signatures are foolproof, but they help), so it doesn't even say what program wants to do X or who it is from. Other times, it tells you who signed the software and that you should run it if you trust the signer - that's the grey/teal one with the choice "continue/cancel".

  2. Re:I didn't think it was that difficult by SCPRedMage · · Score: 3, Informative

    UAC prompts are NOT that common, and UAC prompts when copy and pasting is a myth. Please, let it die.

    --
    My sig can beat up your sig.
  3. Re:But, What Now? by Coward+the+Anonymous · · Score: 2, Informative

    Ok. Time for a question. So you've programmed a screen to mimic UAC. Good job. Now, to do any damage, your app must request elevation from Vista. Uh oh, guess what. Time for a REAL UAC prompt. Now what?


    If you read the article, you would have seen that they are not mimicing the UAC screen but actually causing Vista to prompt the user a real UAC dialog that grants Admin priveledges.

    From the Article:

    Finally, the malicious code would call the "RunLegacyCPLElevated.exe" -- the Vista executable that provides backward compatibility to older Windows Control Panel plug-ins -- which in turn runs the .dll. That pops up a UAC dialog, but because RunLegacyCPLElevated.exe is set to run those Control Panel plug-ins with full administrative privileges, the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system. As soon as the user clicks the "Confirm" button, the malicious code is granted administrative privileges, giving the code -- and thus the attacker -- full access to and complete control of the machine.
    --
    -- Jason
  4. I am colourblind by Kimos · · Score: 3, Informative

    I don't use Vista so I don't fully understand. Do the colours of the popups provide security-related information? Seems pretty ridiculous and unfair, considering I'm not the only person in the world who is colourblind...