Tricking Vista's UAC To Hide Malware

Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.

Not an issue

[picob]

I couldn't say it better than a header in TFA:

Microsoft: Not an Issue

We need to cut down on the complexity.

With every release of Windows, Microsoft seems to devise some new, overly-complicated scheme to try to protect Windows users. The scheme they came up with may sound great, but then it falls flat on its face because of some minor flaw or workaround.

So maybe what they need to do is to get back to the fundamentals. We only need to look as far as OpenBSD to see how keeping things simple and intelligent results in a very secure operating system. Instead of writing new (and probably buggy) code to try and prevent things like malware, they just repeatedly go over the code they already have, to try to ensure that it is exploit-free. And it works. OpenBSD is a damn secure system.

Re:We need to cut down on the complexity.

[peragrin]

Why don't you be rational. So that user's directory get's trashed. but trashing that directory also kills off the malware. If it doesn't a simple search for that user's remaining files will. All that remains is a simple backup restore and your good to go. total time to repair maybe an hour.

To clean a Windows box means reinstalling the entire damn thing.

It is also a lot harder to use a *nix based box as a botnet zombie. It isn't impossible, but each machine has to be manually cracked, unlike Windows up to XP which it can be fully automated. I will hold off on final Vista judgments until more information can be gathered.

To Quote Scotty in Star Trek III The more they over think the plumbing the easier it is to stop up the drain.

Simple *nix user level security has proven for over 20 years to be more effective than anything MSFT has produce in the same amount of time.

ACL's make life easier for large installs, but it is the small ones that cause the most problems. That is why large *nix installs use both.

Re:We need to cut down on the complexity.

[MajinBlayze]

To the *NIX crowd: Please, please, please stop trivializing the destruction of a user's home folder. For home use, there is rarely more than 1 user, and loosing all documents/etc is marginally better than reinstalling the whole OS. There is no reason that an application should have this kind of permission, IMO, we need to look past user level permissions to application level permissions, as this is where real security exists.

C'mon, give MS a break here!

[pla]

That pops up a UAC dialog, but because RunLegacyCPLElevated.exe is set to run those Control Panel plug-ins with full administrative privileges, the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system.

So we make fun of Homeland Security for their meaningless color-coded threat levels, but take the colored borders of confirmation dialogs on Vista as gospel?

Sorry, this does not constitute a threat. Just one more indication that we need some form of licensure before letting people anywhere near a computer.



I'll gladly join in on the MS bashing - when appropriate. In this case, any blame rests solidly with users who have no idea what they should or shouldn't let run on their computers.

Re:C'mon, give MS a break here!

[stokessd]

"Computers seem to be heading in the direction of becoming more like appliances; "

True, and we are in a dangerous "middle-ground" between a complex tool that only knowledgeable people use, and a true appliance that anybody uses.

The problem is that the operating system is too brittle and vulnerable to be considered an appliance. Do you ever think about how you use your toaster? If I put this new organic untrusted bread in the toaster will my toaster be taken over and corrupt the blender and waffle maker and start a kitchen rebellion? If I put in this DVD of "Ishtar" in my DVD player will it require a weekend to reinstall it's OS and useful applications?

No, that doesn't happen because appliances are robust and there isn't much a user can do to hurt them when used in their intended ways.

Now the current computers (particularly windows) are becoming appliances but haven't gotten to the critical point where they really become appliances. that transition will happen when a big chunk of the OS is hidden from the user and the user works in a Sandbox. It will be a lot less useful because it will only do what it was designed to do, but it will be safe and reliable for it's intended purpose. Then it will be an appliance.

The problem is that computers are sold as the answer to lots of the average user's non-problems. Like any good for sale in a capitalistic society, it's jammed down the throats of everybody the seller can get their hands on. So lots of people who maybe shouldn't be using computers (in their current unrestrained form) are using them (they are the ones who you get your spam from).

This is a windows problem not only because of shoddy engineering, but also because of Microsoft's position in the market. Let's look at the three major OS's:

Linux (BSD et al): It's a computer hobbiest's paradice, lots of great code, well defined heirarchy. Plus in general hard to get your hands on if you are "Joe User" who just wants to get a computer to e-mail the kids at school. This means that the people who are using this os WANT to use it for some reason (insert long list here), and they are going out of their way to use it. This means that this segment is typically very computer savvy and not likely to be pwned as a group.

Macintosh: This is also a "Harder to get" computer for two reasons. First, they are very expensive compared to the best-buy special. Second they are only sold in a few places. These two reasons make the Mac a sought-out computer rather than what the sales droid told you to buy. The average user is probably less computer savvy than the average Linux user, but in the case of the Mac, apple also "has your back" to some degree with frequent patches and a well designed core OS that minimizes your risk to begin with.

Windows: This is the default OS you get if you close your eyes and pick a computer. This means that if you have no clue about computers, chances are you get a windows box. Its fertile ground for stupid users to take advantage of (can I interest you in a free screensaver?). And in addition to that, MS has huge legacy issues that they can't change or they break business apps. MS has painted itself into this corner by selling to the lowest common denominator.

Change the borders to any color you like, there are still a huge amount of computer users that shouldn't be computer users under the current OS choices.

Re:C'mon, give MS a break here!

[pla]

Ah, elistism at its finest.

I know, right? Daring to think that people would bother to learn how to properly feed and care for a $500+ investment. I can act like quite the insensitive bastard some days...



Also, why should I care? Sometimes I just want to get my work done!

And I just want my car to get me to work. But if I don't know the condition of literally hundreds of seemingly-irrelevant aspects of that vehicle, it either won't continue getting me there every morning for very long, or in the worst case, won't get me there at all. From whether or not it has fuel and wiper fluid and a full compliment of working lights, to where I put the key in and which way to turn it and how far and if it wants the brake/transmission/lights/door/seatbelt in a certain state to start, to when I need my next periodic maintenance, to the countless conditions I might need to notice and evaluate while actually on the road.



I consider myself an advanced windows user, but I'm still not sure at all times what every application and service and background process is doing.

I don't need to know exactly how my transmission works, but I do need to take action if I find a pink puddle under my car.

On my machine right now, I have 38 processes running, which includes 35 services lumped into a half-dozen "svchost"s. I can't claim to know exactly how each of those 67 tasks (38+35-6) does its job, but I do know whether or not it "should" run under normal conditions.



Computers seem to be heading in the direction of becoming more like appliances

They won't ever get there, in their present form.

You may see a lot more dedicated computer-like devices, such as DVRs, email/web "appliances", and personal organizers; But the realm of general-purpose computing will always remain all but closed to those unwilling to invest the time to learn the basics. And by the basics, I mean a hell of a lot more than MSIE, Word, and Outlook.

Even beyond knowing what should run, though, even a total novice user should have the basic grasp of "I didn't just try to do anything that should require administrative access, why does it want elevated permissions?". If your microwave oven wants the PIN to your ATM card, you shouldn't need the message to appear in a different color to clue you in to the oddness of the request.



If you tell me you DO know EVERYTHING that is happening -- well you are very special.

No. Not special. Just "curious". If I open Task Manager (I actually use Sysinternals' Process Explorer, but same idea) and see something I don't recognize, I look it up. Simple as that. It doesn't take a genius or even hours of research, just Google and and a spare 30 seconds.

So yeah, if you won't invest that much time (per process) in operating an expensive machine, then you shouldn't use a computer. Or a car. Or any power-tools. Or reproduce. ESPECIALLY reproduce.

And if it makes me an "elitist", or just a plain ol' bastard, for thinking that some things in life require learning how to do them right - So it goes. But I don't get infected with spyware, so, take that as you will.

Re:C'mon, give MS a break here!

[Cycloid+Torus]

There - right there in the 4th paragraph - you defined it - the next OS - the one my spouse, my kid, my mother-in-law ALL need YESTERDAY. They will never have half the knowledge of PCs that I have - and I find what I know to be inadequate over and over. I can't get really upset with the sludge I have to scrape out of their boxes.

I think (hope, pray, etc) that Open Source will provide well constructed (custom?) Sandbox OS for all of my relatives who look to me to fix their little problems now - with a service which keeps this tidy and right.

Smell the opportunity - like bacon frying...

UAC is not there for *user* protection

[Theaetetus]

"It's very important to remember that UAC prompts are not a security boundary -- they don't offer direct protection," said Whitehouse. "They do offer you a chance to verify an action before it happens. Once you allow an action to proceed, there may be no easy way back. So while Microsoft may use the word 'trust' in relation to UAC in some of their [other] documentation, in actual fact, even the data these UAC prompts provide you with can't be trusted."

It's pretty obvious from Microsoft's response that this is an example of Bruce Schneier's "security theater". UAC doesn't actually protect the user, but it enables Microsoft, in response to any virus/worm/trojan/botnet/class action lawsuit to say "well, you clicked allow. It wasn't our fault." (or, more likely "you were so annoyed by UAC that you turned it off, it's not our fault"
This isn't security, this is a legal CYA.

Re:UAC is not there for *user* protection

[gsslay]

UAC doesn't actually protect the user,

I would be interested in what you consider would protect the user. You have three options here.

1/ No-one decides what goes on your computer. It's an open free-for-all.

2/ Microsoft decides what goes on your computer. Corporate lock-down.

3/ You decide what goes on your computer. You're the boss.

We've already seen what happens with option 1. It's a security nightmare for everyone. I can imagine just how popular the second option there would be, people already have plenty to bitch about the controlling nature of Microsoft without adding to it.

So it's got to be option number 3. The only other thing Microsoft can do then is to warn the user what's happening to their computer, provide as much useful information as possible (in as much a user-friendly manner as possible) and then let the user decide.

Which is pretty much what is happening here. And still people complain.

Re:UAC is not there for *user* protection

[jb.hl.com]

UAC doesn't actually protect the user, but it enables Microsoft, in response to any virus/worm/trojan/botnet/class action lawsuit to say "well, you clicked allow. It wasn't our fault."

It wouldn't be their fault. Nor should it be their fault.

Microsoft shouldn't be required to take the blame for harm that results to their installation or data because of third party programs that they themselves didn't supply. You allowed the program to run, you deal with the consequences; it isn't Microsoft's fault at all that you decided to allow NastyShitware.exe to run. Why should it be? If you shoot yourself, are Smith and Wesson liable?

If Microsoft was held liable for the actions of third party applications, it would open up the way for lawsuits against pretty much every other OS provider that gave their customers a chance to run nasty programs on their OS. Imagine the lunacy that would result from that. Imagine the ass-covering lockdown that would most likely result. Not very nice at all...

Re:UAC is not there for *user* protection

[99BottlesOfBeerInMyF]

I would be interested in what you consider would protect the user. You have three options here. 1/ No-one decides what goes on your computer. It's an open free-for-all. 2/ Microsoft decides what goes on your computer. Corporate lock-down. 3/ You decide what goes on your computer. You're the boss.

The basic problem is the assumptions behind your classification. You assume that "something on your computer" equates to "your computer is compromised." I agree that the user needs to be the one determining what is installed an further, I agree that the OS should, "warn the user what's happening to their computer, provide as much useful information as possible (in as much a user-friendly manner as possible) and then let the user decide." You're still missing a piece of the puzzle here. The OS needs to let the user what is going on, very specifically and the OS needs to let the user allow and deny behaviors very specifically. That is how UAC fails.

Which is pretty much what is happening here. And still people complain.

The Register described UAC as "too little too late." That about sums up my opinion. It is a baby step in the right direction, but no where near enough to actually solve the problem users have and because of the implementation of certain elements may lead to long term greater insecurity because of the way it trains users.

Here's a simple example of how UAC fails and why. A user downloads a trojan installer and double clicks on it. Installers, by default, run as admin and require the user to click "Allow" in a UAC prompt. This means a trojan installer and a freeware game installer appear, to the user, to be exactly the same. Worse, the user has been asked to click "Allow" many times for other procedures where there was very little risk. What would make any reasonable security person assume the user will not click "Allow?"

My assertion is that by default the user should be allowed to install anything they want, but that all software should run in an ACL sandbox, by default, and should be restricted from certain behaviors by default and that the user should be prompted not when installing software, but when the software actually tries to do something most legitimate software does not need to do, and then they should be given well crafted dialogue boxes with unique actions for buttons to avoid conditioning.

This is entirely doable, it just requires that MS take security seriously and actually looks at the problem and the behaviors of users and creates a technological solution designed to solve that problem. UAC is a "me too" solution that tries to bring security up to par with common Linux and OS X desktops, but it ignores that those desktops are not under constant attack by malware while Windows is. Windows needs to be better than the average Linux desktop in order to provide users with the same risk of infection. UAC is nowhere near the level of security needed and the poor UI design exacerbates exisiting security problems brought on by previous poor UI designs in Windows.

Re:Importance?

[leuk_he]

Never noticed these colors as well.

I did try to cut the number of warnings given, but uac still is not yet at a level it is user friendly.

Let me point out:
-It sometimes tells the publisher is unknown, and sometimes it show the publisher, but say it is unverified. It is just a conspiracy with verisign to sell code signing certificates.
-Java vm had fine grained access controls a long time ago, and the NSA build these into windows NT 4.0 also. But all UAC allows is to give full access(=admin that can install drivers) or deny (no option most of the times) it. Yes, you can apply all kind of rights to the user, but not to a program... This is a lost opportunity.
-Once UAC is popping up you have no way to take back control. So guess what a user does when he is confronted with {while (true)askPersmissiontoinstalltrojan;}
-...???
-profit. Yes for Steve Ballmer that is... ;)

Re:Different colors??

While it may be true that different colored borders are supposed to mean varying levels of "trust", as in what component is running, I don't think any user would know that. The text in the dialogs doesn't appear to be different (that I can tell), so why would a border color make me go "Oh, I should let that action happen, I bet that's some Control Panel action", especially when I wasn't working with the control panel.

One of the problems is that you can set the "green" ones to be always accepted in corporate networks to allow users to run certain programs that are part of Vista. So yes, this has some potential to do damage.

Re:Different colors??

[dysfunct]

I don't think any user would know that.

I wouldn't be too sure about that. The article mentions that "the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system". Since this dialog will likely pop up frequently with a low chance that the user triggered it unintentionally (i.e. the user knows what he/she is doing) it might actually lower the barrier of clicking "Allow".

Don't forget that even though a user might not consciously notice the color after a lot of usage and especially repetition the brain might subconsciously notice the difference between a red (not as often appearing -> think twice) and green (frequently appearing after normally trusted "system" action -> just click on the damn thing) border and act accordingly.

Anti-Virus makers, make Virus.... same old scare

[Jackie_Chan_Fan]

These guys are pointing this out, because they want to sell symantec products. Thats the only reason why this article came out. It's the only reason why Symantec released this statement. They want to put the message out there that "You're not secure without Norton"

This is a corporate propaganda directive, possibly directly from the CEO him/herself. "Find something, and lets use it to make us money"

The old anti virus company making viruses, just to fuel sales... has come true. They dont have to release the viruses though, but simply they figured something out, and to tell the world that something.

Profit at all costs.

No tricking involved

[LinuxGeek]

The main problem I have seen with Vista since the first RCs is the monotonous regularity that these messages pop up with during regular system use. The old adage that practice makes perfect is incorrect; Practice makes permanent is the real outcome and microsoft is basically forcing their customers to practice hitting that continue button while still trying to concentrate on the tasks at hand.

I have found myself clicking continue at the same time my thought registers to *not* click because of something not looking quite right. Since I am no longer developing software for a living, the only OS on my system is Ubuntu! Thank God for Debian, Ubuntu, Red Hat, et al. for their tremendous efforts to give everyone a reasonable alternative; whether we choose to use it is certainly a choice, but we do have the choice.

Re:No tricking involved

[99BottlesOfBeerInMyF]

...microsoft is basically forcing their customers to practice hitting that continue button while still trying to concentrate on the tasks at hand.

The "OK/Cancel mistake" has been in usability textbooks as an example of what no to do for more than a decade now. It is quite clear to anyone who has had any formal training in human-computer interaction that either MS hires the worst UI people on the planet, or the marketing department overrides all of the UI people's proposed changes. It is also clear that either MS is only vaguely aware that UI deign is an important part of security, or they are a lot more interested in providing the perception of security than the reality. My opinions is that Vista security is a lot like searches at the airport. For the most part it is completely ineffective at actually increasing overall security when it is important, but it is very, very visible and "in your face" so people assume "something is being done" and are mollified.

Re:I surprised you saw UAC at all.

[ThePengwin]

People have also speculated that this is so M$ can blame the user later. So they went through all the trouble to try and create a system which lets users know more about whats happening to tell them that in the end its all your fault if you get a virus? Why not just say in the EULA "Dont click anything, it could be a virus/worm/trojan/spy ware/ad ware. We wont help you then"? Furthermore, why does windows have so much support then? why are there updates? Its not "Deal with it yourself", its most likely "We cant protect you from it all, but we will try" As for a non free OS comment, People use non free OSes these days because they honestly dont know how things work, and wont spend the time to. Its the same reason why anyone can build a car, but noone really does.

Re:But, What Now?

[99BottlesOfBeerInMyF]

Ok. Time for a question. So you've programmed a screen to mimic UAC. Good job. Now, to do any damage, your app must request elevation from Vista. Uh oh, guess what. Time for a REAL UAC prompt. Now what?

Well, one obvious answer is to provide fake UAC authorization prompt for dozens upon dozens of applications and hide the real UAC prompt in the middle of them. After six or seven the average user will just start hitting "Allow" for everything under the assumption that they need to to get their OS to work again, or they will turn of UAC entirely.

Yet another bad car analogy

[AJWM]

People use non free OSes these days because they honestly dont know how things work, and wont spend the time to. Its the same reason why anyone can build a car, but noone really does.

No.

People don't build their own cars for the same reason they don't write their own OS from scratch: it's too much work, and they don't need to.

People use free OSes for the same reason they don't buy cars with the hoods welded shut. The difference is that there's no auto manufacturer with sufficient monopoly that that they'd ever sell any cars with the hood welded shut.

Re:But, What Now?

[Mister+Whirly]

And if you are just blindly clicking "Allow" without ever reading or thinking about what you are doing, how is it anyone else's fault but your own?

Re:Isn't this the whole point of UAC?

[99BottlesOfBeerInMyF]

At which point I would expect the user to go "hmm, this isn't right" and then attempt a virus scan or to stop visiting the website that keeps prompting them.

That sort of depends upon how high the false positive rate is in general.

The UAC is not a magic bullet, but it is a far better solution than anything we have today. Do you have a better idea? Don't let these programs run at all?

I'm not saying UAC is worthless, just that it is far from ideal, or even sufficient to provide the security needed by the average user. As for having a better idea, I sure as hell do. I think any reasonable security engineer who looked at Windows with the goal of solving the malware problem would conclude several things. First, Windows is attacked so much more often due to its dominance that the security mechanisms on more secure desktops, like Linux, are still insufficient to solve the problem. Second, if you look at the most secure OS's available today, they've all gone the same route, mandatory access controls. That is to say, locking down security on an application by application basis with restrictions for all resources, not just files or network ports.

Moreover, MS already started to implement a signing framework needed to bring MAC to a desktop user in a usable way and the NT kernel has built in support for the kind of ACLs needed. The answer is pretty obvious at that point. The assumption that users will know if they can trust a given application and are not going to run software that they don't expressly trust is an incorrect assumption.

MS engineers, however apparently look at things a little differently. Instead of innovating a solution to the problem or even copying the really secure systems on the market, they looked at their closest competitors and tried to come up with something that would be "close enough" to what Linux and OS X have implemented that people would not see them as way behind anymore. They seem to have been trying to solve the problem that people perceive them as insecure, rather than the problem that users cannot do what they need to do securely. UAC addresses the perception by being very visible, while not really getting there for actual security.

As for their application signing solution (a needed tool for both users and the OS to determine trust) MS's normal self seems to have undermined it by building a framework designed around lock-in, rather than one that fosters competition among certifiers of trust that would lead to really useful information. At this point, I basically have no faith that MS has the ability to engineer a truly secure solution and the only hope for MS's customers is that someone else will do it so MS can copy it.

Re:But, What Now?

[Mister+Whirly]

I don't know what world YOU live in, but ignoring security recommendations, not researching anything, and just clicking "Allow" without a clue to what you are allowing is not Microsoft's fault.

Will it happen all the time? Absolutely. Are a significant number of computer operators basically shaved apes without a clue about security? Absolutely. Does that make it Microsoft's fault? Absolutuely not.

How do you suggest Microsoft cures the world of dumb computer users who won't do what they are told, and what go against what common sense would dictate? Say someone bought a car, drove it until it died and then brought it to a repair shop where it was discovered there was no oil or engine coolant in it. ("Well, I saw some lights go on, but there are so many lights on the dashboard I just ignored them and kept driving.") Would it be the fault of Chevrolet because the operator couldn't be bothered to RTFM or understand how to properly operate a car before doing so?

Re:What's the issue?

[Herby+Sagues]

Either I don't know anything about computer segurity (odd as I get paid for that) or these guys don't know anything about security (odd as THEY get paid for that). In order for this "hack" to work the user has to download malicious code from the Internet, run it and accept a warning that indicates there's a dangerous elevated operation going on. How is this a hack in any way? Normally, if the user ran malicious code on Vista and it tried an elevated operation, it would trigger a warning. If the user accepts the warning, the code is run elevated and the computer becomes damaged. That's how it is designed to be, and that's even more than most platforms do in this respect. In this situation, exactly the same applies. The user has to download the code, run it, and accept a security warning. So where's the hack? A real hack would be to prevent a security warning from raising, not to raise a security warning when one is granted (or not).

Re:paraphrase

[CDarklock]

Not really. It's more like breaking into a house to install a complicated machine that unlocks the door from the inside, so you can come back later and rob it. It may be a bad situation, but it's never really going to happen, is it? If you already broke into the house, you're just going to go ahead and rob it.

Everybody wants to believe that the people installing botnets are hackers, but they're not. They're criminals. The people running security companies are hackers. They think building these fantastic scenarios is fun, because it is, so they spend all day doing it. Meanwhile, the criminals on the street don't give a shit. Lockpicks? Shotguns? Fuck that, I got BOOTS. Boots can open a door REAL good.