Tricking Vista's UAC To Hide Malware

Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.

Different colors??

[drawfour]

While it may be true that different colored borders are supposed to mean varying levels of "trust", as in what component is running, I don't think any user would know that. The text in the dialogs doesn't appear to be different (that I can tell), so why would a border color make me go "Oh, I should let that action happen, I bet that's some Control Panel action", especially when I wasn't working with the control panel.

To be honest, Vista's UAC saved my butt recently. I have no idea what application was vulnerable -- but it somehow tried to run exec.exe, which was downloaded into one of my temp folders. The file was deleted after it failed to run (because I said "no"), and then would appear back in a few seconds and try to run again. I'm happy that whatever application was vulnerable wasn't able to do anything to my system.

<tangent> Anyway, while some people may say it's annoying, I'm not sure exactly how many actions a typical user would take that would require UAC prompts. After the first few days of configuring, installing apps, etc..., I have little need to do anything that requires UAC prompts. Defrag is set up to run every night, anti virus is set up to download updates, my resolution settings don't change, etc... </tangent>