User Account Control (UAC) was probably the first new feature of Windows Vista that most users encountered, and received considerable attention when the OS was released. UAC gives a way for users to act as computer administrators just for administrator tasks. This is important to only allow software that requires elevated rights to run with such powerful (and potentially dangerous) rights. Over time, UAC prompts have diminished, especially with the release of Windows 7. But it’s clear malware authors really hate UAC.
When UAC was introduced, the verdict from malware authors was remarkably clear – go around it. This was a total change from Windows XP, and advice on malware forums was nearly universal. Instead of running malware as an administrator from locations easily accessible with administrator rights, just start running in the user profile with user rights. This was unfortunately not a big problem for malware. However it did become very difficult for malware to elevate to administrator rights, which was the purpose of UAC, most malware have decided to simply go around it.
While UAC avoidance continues as a tactic, the Microsoft Malware Protection Center has found more and more malware opening a new front and turning UAC off itself. Malware does this to prevent users from seeing UAC prompts on every reboot for their payloads. The Sality virus family, Alureon rootkits, Rogue antivirus like FakePAV, Autorun worms, and the Bancos banking Trojans all have variants turning UAC off. So many are doing this that Microsoft Security Essentials, Windows Intune, and Forefront Endpoint Protection now uses behavior monitoring to find software that manipulates UAC settings, and the MMPC is finding brand new malware disabling UAC regularly.
The key factor here is that for malware to successfully turn UAC off, the malware must itself be elevated to run as administrator. This elevation either requires an exploit in a service with administrator access, UAC to already be turned off, or a user clicking “OK” on a UAC prompt to allow the malware to elevate. Unfortunately, many Windows users have disabled UAC. While malware was mostly avoiding UAC altogether, legitimate software was also being rewritten to not require elevation prompts, so there are fewer UAC prompts than ever to wrangle, which should make it easier to spot any suspicious activity.
In the below chart of the top 5 threats from machines with UAC off from a single day, we see both techniques. The Rorpian worm may exploit the Domain Name System (DNS) Server Service vulnerability, which allows it to gain Administrator rights and turn UAC off. SideTab and OneScan, however, use social engineering techniques to get elevated and then disable UAC.
|
Threat |
UAC Disabled |
|
Worm:Win32/Rorpian.gen!A |
95% |
|
Worm:Win32/Rorpian.E!lnk |
92% |
|
Worm:Win32/Rorpian.E!inf |
92% |
|
Adware:Win32/SideTab |
82% |
|
68% |
About 23% of computers reporting detections in a day had UAC disabled. While some threats directly turn off UAC, others have a lower success rate when UAC is on.
In addition to always updating your software and running up to date antivirus, the best thing to do is to leave UAC enabled. UAC is not intended as malware protection, but it’s another layer of security to help improve the safety of Windows. If you’ve been attacked from malware, please check the UAC setting in the control panel to see if it’s been tampered. It’s easy to do through the control panel by following these instructions: Turn UAC on, and prompts should now be rare. If a UAC prompt you don’t expect pops up, you can also click on “no”, too.
Joe Faulhaber
Leave a reply
