UAC Bypassable or not?

[cruelsister]

Looking back at the files I uploaded in the past pages I realized that they aren't very illustrative. So any could try these instead. Sadly I couldn't find any of the type that I wanted that showed up recently, but as this is a test against UAC alone the newness of the files really isn't an issue.

Anyway, please for testing just run it on either a Windows 7 or 8 system with UAC maxxed out, but no other protection. The files in this mini-pack are three ZAR's in the folder and one defanged cryptor (5min). When you run the cryptor there should be no alerts. When you run the ZAR's there will be a UAC alert, so be sure to block it! Then reboot and please check network activity (via Killswitch or whatever you fancy) in a few minutes. Also run either HMP (more dramatic detection than MB for these) and/or RogueKiller.

www.adrive.com/public/FfUxWY/Music.7z

password is xxx

These can be run in a VM as the malware aren't VM aware. Let me know how it went.

 

[ifacedown]

I don't see the bypass, where is it located on the task manager, also task manager should have run as administrator to see all processes, malware will not appear unless "Show Process from All Users" is running.You should use Microsoft Process Monitor to record all process instead using task manager and have it running before Server.exe is started to show that nothing was running before you click Server.exe.

I tried to run this Server.exe on Windows 8.1x64 and it does not run at all. No UAC prompts displayed. Nothing at all was running on the system and no network connections or anything. I had to disable Windows Defender which detected it as a hack tool, SmartScreen also blocked it. I used Process Hacker and Microsoft Process Monitor to record all running processes and nothing at all was recorded. There was no changes made to the system either probably the reason why UAC didn't display a prompt.

So I disabled UAC, SmartScreen and Windows Defender then rebooted and tried to run it again without any protection.
Still nothing it would not run and gave no errors at all no matter how many times that I tried to run it.

So I'm thinking either it is blocked by a recent Windows Update patch or doesn't support x64 systems.
I even tried to load it in a debugger and nothing was displayed.

So I downloaded the file again to make sure I didn't get a corrupted file and extracted it without any protection and still it would not run.

Enjoy!!

As I told on one of my earlier posts, I was not the one who conducted the test, but someone who develops an anti-executable software. He says:

"The process IS in the Task Manager in the video, it is called Trojan.exe *32. I wish I would have kept the Task Manager open the whole time, but hind sight it 20/20, and I am not about ready to go through all that work again just to prove littlebits wrong. But it is in the Task Manager, just pause the video at 0:40, and you will see Trojan.exe *"

The link to the YouTube video is: [[[[https://www. you tube.com/watch?v=_AfSdO5plrs]]]

I wonder why the video is on black on one of my earlier posts? The video was working earlier. Was it blocked from this site?

You want bypass on Windows 7? Try this:

https://www.trustedsec.com/downloads/tools-download/

 

[ifacedown]

Nicely said.
Thing is that as i mentioned in the previous posts that UAC cannot be bypassed from the internet.
So imagine some malware on a webpage, which is loaded with a bypass kinda like payload, then this malware cannot penetrate the system like a drive-by. In nearly 95% of all the cases the code needs to be injected (Merged) within a legit file to gain entree to the victims pc. So here you got your second example that a user needs to facilitate the infection itself in order for it to work.
Also the victims pc needs to fit a certain criteria to be able to be infected in the first place, because action number 3 a user needs to do before their pc can get infected is actually opening the file (or the carrier file).
So thats 3 actions a user needs to take inorder to have ANY bypass work and still this is not a 100% thingy.

There simply is not malware out there that spreads over the net capable of bypassing the UAC without user intervention.
However there are several ones that can bypass it, in a specific scenario and according to specific criteria.
The video shown by ifacedown shows that the "user" activates the "file/malware" which again is a user based action.
Windows has never been designed to protect itself from dangers within, the whole point of UAC is to warn a user against most foreign dangers (considering the pc domestic) and to some critical actions internally.
So any fool can write a exploit to shut down UAC, and execute it by hand, but if you are the hacker and you want to bypass the UAC from your victims pc 2000 miles away... good luck with that.
As its not going to happen anytime soon, unless the person is running stone age windows, on a flinstone config and indian raindance protection ..lmao.

That being said lets assume that there would be a malware on the net that could bypass the UAC core and policy engine, then i can guarantee that this would NOT be possible on a computer running the latest updates, internet security and common sense.
No in order for this to work, you need a person that pickes up a pen to write a email, on the screen while their keyboard is in front of them lmao.
So if you can find that person? then he deserves to be bypassed.
But hey thats just me saying it... but then again what do i know...^^

What is this specific malware that makes it impossible for it to be a drive by?

 

[ifacedown]

wow, the uac-bypass video is again working!

 

[Nico@FMA]

What is this specific malware that makes it impossible for it to be a drive by?

Did you read my post at all? read it again the solution to your question is there.

 

[Nico@FMA]

You want bypass on Windows 7? Try this:

https://www.trustedsec.com/downloads/tools-download/

Uhmm ok,
Step 1: Navigate to the website.
Step 2: Download the File.
Step 3: Unpack, Install, Run the program.

Thats 3 actions a user MUST do in order to have their UAC bypassed.
I said it before INDIRECT you can bypass UAC but DIRECT you cannot.
Or better said: Locally you can exploit UAC but from the internet you cannot.

The whole point of the UAC discussion is that UAC can be bypassed without you ever knowing it.
Scenario: You navigate to: http://iwanttobehacked.com (Assuming this is your favo webpage) and some moron did hack the webpage and injected a nasty little rootkit or trojan or exploit.
While you visit the webpage everything looks fine, but within your computer all hell breaks lose.
So you got infected & injected and you did not know a thing.

Thats the scenario we are talking about. And this scenario CANNOT happen.

That said if you want to bypass your UAC by deliberate install a program then ANY fool can do so, but surfing the net and then being infected with a bypass on a top notch system is like finding a briefcase with a 100 million in it adressed to you.

Think about it.

 

[Cats-4_Owners-2]

I don't see the bypass, where is it located on the task manager, also task manager should have run as administrator to see all processes, malware will not appear unless "Show Process from All Users" is running.You should use Microsoft Process Monitor to record all process instead using task manager and have it running before Server.exe is started to show that nothing was running before you click Server.exe.

I tried to run this Server.exe on Windows 8.1x64 and it does not run at all. No UAC prompts displayed. Nothing at all was running on the system and no network connections or anything. I had to disable Windows Defender which detected it as a hack tool, SmartScreen also blocked it. I used Process Hacker and Microsoft Process Monitor to record all running processes and nothing at all was recorded. There was no changes made to the system either probably the reason why UAC didn't display a prompt.

So I disabled UAC, SmartScreen and Windows Defender then rebooted and tried to run it again without any protection.
Still nothing it would not run and gave no errors at all no matter how many times that I tried to run it.

So I'm thinking either it is blocked by a recent Windows Update patch or doesn't support x64 systems.
I even tried to load it in a debugger and nothing was displayed.

So I downloaded the file again to make sure I didn't get a corrupted file and extracted it without any protection and still it would not run.

Enjoy!!

This is totally funny!!!
..and yes, I did 'Enjoy!!'

 

[juhful]

I always thought UAC was a Windows thing? My bad

 

[Koroke San]

Version 2 is not yet out, I just checked their website.

I think the Free version will come out at the same time version 2 is released.

Just wait, I will tell it to you.

thnx

 

[nissimezra]

Yes, this topic has derailed and is headed west bound ^^^

Can not believe this is still going on How many ways does this have to be explained, or do we need a virtual chalkboard with pictures?

why u think it's a wast?
people are learning a lot from these kind of threads

 

[Littlebits]

As I told on one of my earlier posts, I was not the one who conducted the test, but someone who develops an anti-executable software. He says:

"The process IS in the Task Manager in the video, it is called Trojan.exe *32. I wish I would have kept the Task Manager open the whole time, but hind sight it 20/20, and I am not about ready to go through all that work again just to prove littlebits wrong. But it is in the Task Manager, just pause the video at 0:40, and you will see Trojan.exe *"

The link to the YouTube video is: [[[[https://www. you tube.com/watch?v=_AfSdO5plrs]]]

I wonder why the video is on black on one of my earlier posts? The video was working earlier. Was it blocked from this site?

You want bypass on Windows 7? Try this:

https://www.trustedsec.com/downloads/tools-download/

This is just a hack trick made by the developer that any developer can do, it is not a bypass. What kind of malware writer would label the description of their malware "Trojan"? Just look at the task manager in the video and it plainly says under the description "Trojan". I find this very humorous . I wonder what will be next? will other malware start identifying themselves as viruses, worms, adware, etc. in the task manager descriptions? Like I said the description in the task manger is not even correct because Windows Defender identified the threat as "Hack Tool " not "Trojan".

This is not an example of a real malware in the wild bypassing UAC. The video looks like it was faked to make people believe that UAC can be bypass by malware. Maybe by the developer himself to promote his anti-executable product. Anyway it is a very poor example even if it did get around UAC it still means nothing since it is just a simple hack that no malware is known to use.

Enjoy!!

 

[ifacedown]

This is just a hack trick made by the developer that any developer can do, it is not a bypass. What kind of malware writer would label the description of their malware "Trojan"? Just look at the task manager in the video and it plainly says under the description "Trojan". I find this very humorous . I wonder what will be next? will other malware start identifying themselves as viruses, worms, adware, etc. in the task manager descriptions? Like I said the description in the task manger is not even correct because Windows Defender identified the threat as "Hack Tool " not "Trojan".

This is not an example of a real malware in the wild bypassing UAC. The video looks like it was faked to make people believe that UAC can be bypass by malware. Maybe by the developer himself to promote his anti-executable product. Anyway it is a very poor example even if it did get around UAC it still means nothing since it is just a simple hack that no malware is known to use.

Enjoy!!

The video is not fake.
The malware was not developed by the software developer, the malware source was given by CruelSis, I thought you were going to test the same malware.

 

[Littlebits]

The video is not fake.
The malware was not developed by the software developer, the malware source was given by CruelSis, I thought you were going to test the same malware.

I did test the Server.exe and it would not run and did not make any system changes.
Therefore it is not a bypass. Maybe blocked by recent Windows Updates.

Did you read my previous post?- http://malwaretips.com/threads/comodo-internet-security-7-review.24917/page-6#post-184808

Thanks.

 

[Deleted member 178]

you click yes on UAC without knowing what was the executable about?

 

[Deleted member 178]

you download files from unknown sources and run the exe?

 

[cruelsister]

Iface- You bring up a good thing to know regarding one of the differences between UAC in Win7 vs UAC in Win8. If you noticed the UAC breach analysis tool from TrustedSec yo which you linked only works on Win7 and below as it uses (I believe) the dll search order hijack method for malware to gain high integrity elevation.
http://www.exploit-db.com/wp-content/themes/exploit/docs/31687.pdf
While this "hole" has been remedied in Windows 8 they never have corrected it in Win7.

 

[ifacedown]

Iface- You bring up a good thing to know regarding one of the differences between UAC in Win7 vs UAC in Win8. If you noticed the UAC breach analysis tool from TrustedSec yo which you linked only works on Win7 and below as it uses (I believe) the dll search order hijack method for malware to gain high integrity elevation.
While this "hole" has been remedied in Windows 8 they never have corrected it in Win7.

I am not really knowledgeable enough in UAC... I am just curious in security, knowing that my netbook is used by others, my classmates.

They regularly plug in infected flash drives, and my security could handle those malwares: MCShield, disabled autorun, and disabled execution from removable media.

However, regarding downloading and the internet, I know ESET and K9 Web Protection would handle those internet-thriving malwares. I just don't know if other users would go on allowing and allowing things that are blocked by K9 and ESET.

In that case, I have two last resorts:

Shadow Defender and VoodooShield, both installed on my system.

Both are installed on my system, but I do run them only on demand.

What I like about Shadow Defender is that upon restart, all changes are undone. Even if others install programs (which they do), and infections happen, they will be undone.

But VoodooShield (VS) is also tough. With VS always turned on and its default 'deny' feature, virtually no malware could infect my system, no programs could be installed even if I left my computer to others. Version 2 of VS will come out very soon... with a free version. It would be a hit.

Running Shadow Defender and VS at the same time is an overkill, just running one of them together with ESET, MCShield and Windows' own SmartScreen and UAC would be more than enough.

[[Before I created a Guest Account, but I do not prefer it.]]

 

[nissimezra]

I am not really knowledgeable enough in UAC... I am just curious in security, knowing that my netbook is used by others, my classmates.

They regularly plug in infected flash drives, and my security could handle those malwares: MCShield, disabled autorun, and disabled execution from removable media.

However, regarding downloading and the internet, I know ESET and K9 Web Protection would handle those internet-thriving malwares. I just don't know if other users would go on allowing and allowing things that are blocked by K9 and ESET.

In that case, I have two last resorts:

Shadow Defender and VoodooShield, both installed on my system.

Both are installed on my system, but I do run them only on demand.

What I like about Shadow Defender is that upon restart, all changes are undone. Even if others install programs (which they do), and infections happen, they will be undone.

But VoodooShield (VS) is also tough. With VS always turned on and its default 'deny' feature, virtually no malware could infect my system, no programs could be installed even if I left my computer to others. Version 2 of VS will come out very soon... with a free version. It would be a hit.

Running Shadow Defender and VS at the same time is an overkill, just running one of them together with ESET, MCShield and Windows' own SmartScreen and UAC would be more than enough.

[[Before I created a Guest Account, but I do not prefer it.]]

what are using your computer for? are you doing online banking, paypal?
I think you are just paranoid for no resume.
If you let others to use your pc then use guest account with limited permission. or you can add timefreez which is free. however if u have 2 partition it's a good idea to just remove the letter from the partition so it won't be visable

 

[ifacedown]

what are using your computer for? are you doing online banking, paypal?
I think you are just paranoid for no resume.
If you let others to use your pc then use guest account with limited permission. or you can add timefreez which is free. however if u have 2 partition it's a good idea to just remove the letter from the partition so it won't be visable

Basic use - documents, watching movies, downloads, surfing...

as I told you I used a Guest Account before... for other users... but don't want it now.

Maybe in the near future I will make a Guest Account again.

 

[nissimezra]

Basic use - documents, watching movies, downloads, surfing...

as I told you I used a Guest Account before... for other users... but don't want it now.

Maybe in the near future I will make a Guest Account again.

you r taking security way way too serious, relax and enjoy using your pc without fear
you can create an image using windows or macrium reflect, create a partition for your data and separate it from the os
in case of crash no data lose and can easy be recovered. use a decent av and you r ok