Malicious code and the Windows integrity mechanism

Status
Not open for further replies.
D

Deleted member 178

Thread author
My goal wasn’t to review the techniques of elevating system privileges; the Internet already has plenty of articles on the subject. New mechanisms are discovered every year, and each technique deserves its own review. Here, I wanted to look at the overall picture and talk about the whole range of Windows operating systems in all their diversity dating back to Windows Vista, but without discussing specific versions.

Step Back in Time
The Windows XP security model differs significantly from the security model of Windows Vista and newer operating systems. There are two types of user accounts in Windows XP: a standard account and an administrator account. The vast majority of users worked with administrator rights, despite the fact that they didn’t need the rights for everyday tasks. These people infected their systems with malicious software that acquired the rights of the current user and, more often than not, they were administrator rights. As a result, the malicious software did not encounter any serious problems acquiring elevated privileges in a system running Windows XP.

This mechanism was used until the release of the Windows Vista family, where Microsoft introduced a new security model: Windows integrity mechanism.
Click to expand...


Worth the read.
 
  • Like
Reactions: Andy Ful, Rengar, tonibalas and 8 others
XhenEd

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Thanks for this, @Umbra!

From what I understand:
Generally, malware authors target to get higher integrity level rights in a system (Windows Vista to Windows 10). These higher integrity levels require administrative rights. And UAC is the one that blocks and asks for elevation. So, given the Kaspersky Security Network statistics, just by enabling UAC and answering No, you prevent at least 80% of malware from completely infecting and/or causing major damage to the system. The rest of the malware, the 20% that don't ask for admin rights, may infect the system without causing major damage. So, it's better to keep malware at bay from those higher integrity levels by answering No to a UAC prompt. :)

Of course, you can't always say no to a UAC prompt, but the point is that when something out of the blue asks for an elevation, it's prudent to say no.
 
Last edited:
  • Like
Reactions: Andy Ful, Wave, Rengar and 11 others
D

Deleted member 178

Thread author
XhenEd said:
Thanks for this, @Umbra!

From what I understand:
Generally, malware authors target to get higher integrity level rights in a system (Windows Vista to Windows 10). These higher integrity levels require administrative rights. And UAC is the one that blocks and asks for elevation. So, given the Kaspersky Security Network statistics, just by enabling UAC and answering No, you prevent at least 80% of malware from completely infecting and/or causing major damage to the system. The rest of the malware, the 20% that don't ask for admin rights, may infect the system without causing major damage. So, it's better to keep malware at bay from those higher integrity levels by answering No to a UAC prompt. :)

Of course, you can't always say no to a UAC prompt, but the point is that when something out of the blue asks for an elevation, it's prudent to say no.
Click to expand...
Exact ;)

UAC become a security feature by chance, because malware writers wrote their code to get admin rights (they need their code to have advanced capabilities).
 
  • Like
Reactions: Wave, Rengar, BugCode and 7 others
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Unfortunately, some malware do not require admin rights but are still dangerous.
Stampado ransomware for example, doesn't require administrator privileges in order to install itself on the pc and once infected the computer, the ransomware encrypts the data on the hard disk, and grants to the victim 96 hours to pay a ransom, thereafter, if the user doesn't pay, it starts to delete random files every six hours.
 
  • Like
Reactions: Wave, Rengar, BugCode and 4 others
XhenEd

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Winter Soldier said:
Unfortunately, some malware do not require admin rights but are still dangerous.
Stampado ransomware for example, doesn't require administrator privileges in order to install itself on the pc and once infected the computer, the ransomware encrypts the data on the hard disk, and grants to the victim 96 hours to pay a ransom, thereafter, if the user doesn't pay, it starts to delete random files every six hours.
Click to expand...
Yep! The author of the article took note of that kind of UAC bypass.

But his whole point in the article is just to explain the security hierarchy of Windows Vista, and higher, and that malware authors write codes to get to those higher integrity levels, asking for elevation through UAC, or bypassing UAC altogether. :)
 
  • Like
Reactions: Wave, Rengar, BugCode and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
it sounds like ransomware is sometimes capable of running with low permissions, whereas most other baddies will probably be stopped by UAC+SUA. And ransomware can be laughed at if you have up to date offline backups.
 
  • Like
Reactions: Andy Ful, Wave, Rengar and 2 others
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
A question: if a malware doesn't require admin rights, can we speak of UAC bypass?
I mean, if a malware requires admin rights but UAC does not block its execution then it is UAC bypass, or both situations? :)
 
  • Like
Reactions: Rengar, BugCode and XhenEd
XhenEd

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Winter Soldier said:
A question: if a malware doesn't require admin rights, can we speak of UAC bypass?
I mean, if a malware requires admin rights but UAC does not block its execution then it is UAC bypass, or both situations? :)
Click to expand...
Depends on the malware, I think. If a malware is designed to get to those higher integrity levels and is successful without UAC block/prompt (assuming UAC is enabled), then I think it would be a bypass. But if a malware is designed to just mess with Medium Integrity level or below, then it wouldn't be a bypass of UAC, since UAC isn't required in the first place. So, it all depends on how the author codes the malware. :)
 
  • Like
Reactions: Wave, Rengar, BugCode and 2 others
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
XhenEd said:
Depends on the malware, I think. If a malware is designed to get to those higher integrity levels and is successful without UAC block/prompt (assuming UAC is enabled), then I think it would be a bypass. But if a malware is designed to just mess with Medium Integrity level or below, then it wouldn't be a bypass of UAC, since UAC isn't required in the first place. So, it all depends on how the author codes the malware. :)
Click to expand...
Thanks @XhenEd to have confirmed what I was thinking :)
 
  • Like
Reactions: Rengar and XhenEd
Ink

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Humor about XP users:

"Windows XP can load in 5 seconds with 15 processes, it is faster than Windows 10 and I can keep it more secure than Windows Defender, since it's a crap Antivirus and not detect any samples from my 3 file Malware Pack, 0% detection rate, Emsisoft detected all 3 files for 100% protection. Its the best. I use Malwarebytes Anti-Exploit because Microsoft don't support this OS. :mad: Who are they to say to force users to Windows 10!! And XP don't spy on users, like NSA Windows 10."​

The End.

Couldn't help myself when the Author mentioned XP.
 
  • Like
Reactions: Davidov, shmu26, XhenEd and 3 others
Status
Not open for further replies.

Similar threads

Bot
End-of-Life announcement for Norton security software on Windows XP, Windows Vista, and Windows 7 (SP0)
Replies
1
Views
290
Norton
Bot
Bot
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Security News Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver
Replies
1
Views
1,028
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Adrian Ścibor
    • Like
    • +Reputation
    • Applause
AVLab.pl Repair Windows in few seconds – RestoreX review
Replies
9
Views
452
Security Statistics and Reports
Adrian Ścibor
Adrian Ścibor

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top