Is Limited User Account enough? Not really...
Posted by: Marco Giuliani
While this is a true statement and, indeed, this should be the way to go for a number of reasons which I'll explain a bit later, the truth is that using a Limited User Account doesn't save you from every kind of infection.
Until recently, most malware made use of administrator privileges to infect computers. This resulted from a choice by Microsoft to leave the first account created after Windows installation as Administrator. Users, for the most part, don't wonder why they are administrator and why they should create a limited user account, they simply want to start up their pc and work (or play games, or whatever else).
Having administrator privileges, you can do what you want, even going in-depth to manipulate the system core. Most of the current kernel-mode rootkits can do their dirty jobs because they have administrator privileges.
Here there's one of the important innovations implemented by Windows Vista, the addition of a limited user account as default, protected by the User Access Control technology. Before granting administrator privileges, the user has to allow them through a messagebox.
The way that Windows (starting from NT to Vista and excluding all Windows 9x versions that were based on another kind of kernel) handles user privileges is quite strong and, at the moment, there aren't any known ways to manipulate it unless you already have administrator privileges and, therefore, you can compromise the whole system (or if there's an unknown bug on some Windows core component or on some software already running with full privileges that would enable privilege escalation, but this is another interesting story).
Turning back to the goal of this blog entry...
What if we use a limited user account? Are we really safe?
Using a limited user account, we can indeed have a high level of security. Let's see a basic example: most types of malware try to write a copy of their code into the Windows or Windows system directory, and try to get startup permissions by adding registry keys under HKEY_LOCAL_MACHINE Windows registry subtree, that contain information about the local computer system. This key is common to every user created on that machine, this would mean that the infection will be active anyway, no matter which user starts the machine.
A piece of malware running under a standard limited user account couldn't write into the Windows or Windows system directories, or write into that part of the Windows registry. A kernel mode rootkit (Rustock, Bagle rootkit, Srizbi, part of Haxdoor, and others) would need to load into kernel space its own driver. There are several ways, documented and undocumented ones, but every one needs administrator privileges. These are just some examples to explain that running under a limited user account would really prevent you from a lot of current infections.
Is the LUA enough?
No, it isn't, at least in its standard configuration.
Let's think: one of the goals of current malware is to steal user information so that they can be sold on the underground market. This dirty job can be done even from a guest account; even from there it is possible to intercept and log keystrokes. Then it can still find a way to run at Windows startup - yes, if it isn't possible to write into HKLM, it's still possible to write into your own HKEY_CURRENT_USER key registry subtree.
This means that the malware will run only when the infected account logs on: is this a problem? Not at all for a malware writer: the goal is to infect and steal information, and this is what is done.
We can then go on to talk about rootkits. I've already written above that under a limited user account, a kernel mode rootkit can't run; but don't forget about user mode rootkits.
...malware will run only when the infected account logs on: is this a problem? Not at all for a malware writer: the goal is to infect and steal information, and this is what is done.
Running under a limited user account will still give attackers a nice chance to play their game. If a user runs a piece of software under his limited user account, the software will get the user's privileges. What does this mean? Basically, every piece of software run by the same user will get the same privileges. More exactly, with a bit of work, every piece of software can write into the process memory zone of other processes owned by the same user.
So, if user "mike" is running under a limited account and he runs notepad.exe and then it runs a piece of malware, this last one could modify the notepad process in memory, for example injecting code into it. More interesting is that, as you can check for yourself looking at process owners under task manager, explorer.exe is obviously run with mike's privileges.
In other words, Windows Explorer, which manages Windows graphical shell, can be modified by a piece of malware even under a limited user account.
This is really enough for a user mode rootkit to hide an infection (maybe a trojan keylogger, as said before). The goal of a rootkit is to hide an infection into a system, not to deeply subvert Windows kernel.
Then, it can simply inject code into other processes, modify IAT/EAT, or hooking SSDT, using DKOM techniques and so on. This is not important at all, the goal is to hide something from the user's eyes.
I'm sure someone is already thinking: "Sure, it is possible, but these rootkits can be easily detected and removed. It's enough that an antimalware software is running under Administrator or SYSTEM account so that it can't be corrupted by the rootkit, because a limited user account can't access to other processes he owns".
Bingo, we've got to the goal of this blog post.
Yes, they can be defeated in an easier way, but we need a security product to do it. And the people who usually think that a standard limited user account is enough to avoid getting infected, won't care to check if they're infected.
The truth is that, even under a standard limited user account, there are still several ways a piece of malware can infect a pc. I have only talked about some ways malware can work, but there are still other ones I won't talk about.
This is an old video I already posted some months ago but it's really useful at the moment. This one shows how Vanquish, an old user mode rootkit, can still work under Windows Vista with UAC.
At the end, be careful: a standard LUA is really useful to avoid pc infections, but it is not enough by itself.
2 comments so far
- Al on 13/03/2008 15:22:24
Look at the top of the page :)
Could you please round up this article with recommendation for a software add-on to protect against malware infections when we have LUA and also when we do not.