UAC Impact on Malware

[ZeroDay]

The User Account Control (UAC) is a feature in Windows where every application ran under an administrator user account only runs in the context of a standard user. UAC not only has an impact on the tools we use as I discussed before but it has the same impact on tools used by others such as malware. Recently, I’ve been doing work involving client-side exploits when I was reading a recipe about using Metasploit to take advantage of the way some applications loads external libraries on the Windows operating system. It reminded me about something I read about the ZeroAcess Rootkit. How ZeroAccess will leverage the DLL search order vulnerability to bypass the restrictions enforced by UAC. In this post I’m having a little fun by demonstrating the impact UAC has on malware and how effective the DLL search order exploit is for bypassing UAC. The following are the sections for this post:

- What is UAC
- DLL Search Order Vulnerability
- ZeroAccess’s Method to Bypass UAC
- Metasploit Setup
- Restrictions Enforced by UAC
- Bypassing UAC
- Summary

Source.

 

[Jack]

Even with this potential bypass, the UAC is a very good layer of protection. I have no doubt that Microsoft can easily patch its product.
The main issue with this feature is the lack of white list, which made the less techie users to ignore or even disable the User Account Control.
If a file is signed by Adobe, Symantec, Kaspersky or other known companies I do think that by default, we should not see the UAC alert. This should make a pop-up alert be taken more seriously by those of us that aren't very savy.

 

[Deleted member 178]

i agree at least they should also display a color showing the level of risk of the executable.