Microsoft Security Essentials 2.1 Detects UAC-Killing Malware via Behavior Monitoring

[solin]

Microsoft Security Essentials, the Redmond company’s free security solution for Windows 7, Windows Vista and Windows XP, has evolved with behavior monitoring capabilities designed to let it identify malicious code that attempts to switch off User Account Control.

And this is the case not only for Microsoft Security Essentials 2.1 (MSE 2.1) but also for additional AV offerings from the software giant, including Windows Intune and Forefront Endpoint Protection.

The evolution of Microsoft’ security solutions comes as a natural response to malware advances, especially around malicious code disabling UAC.

“The Microsoft Malware Protection Center has found more and more malware opening a new front and turning UAC off itself,” revealed Microsoft’s Joe Faulhaber.

“Malware does this to prevent users from seeing UAC prompts on every reboot for their payloads. The Sality virus family, Alureon rootkits, Rogue antivirus like FakePAV, Autorun worms, and the Bancos banking Trojans all have variants turning UAC off.”

User Account Control was initially introduced with Windows Vista and it only moved to the next level in Windows 7.

While not an impassible security barrier, UAC does provide an extra layer of defense against malicious code, and more importantly it forces both users (including administrators) and software to run with reduced privileges.

Standard user privileges, as opposed to full admin rights, makes copies of Vista and Windows 7 less prone to malware infections.

Faulhaber notes that malware authors really hate UAC, and while some Windows users have also failed to take the security mitigation to heart, his advice is to not turn the feature off, under any circumstances. Doing so would just make the life of malware authors that much easier.

Initially, new malicious code adapted to Vista and Windows 7 used a tactic dubbed UAC avoidance. Just as legitimate software vendors, malware authors tailored their code to run under UAC with limited privileges. But it appears that more and more, they’re opting to kill off the feature altogether, since it’s hard for their malware to gain elevated privileges.

“The key factor here is that for malware to successfully turn UAC off, the malware must itself be elevated to run as administrator. This elevation either requires an exploit in a service with administrator access, UAC to already be turned off, or a user clicking "OK" on a UAC prompt to allow the malware to elevate,” Faulhaber explained.

“Unfortunately, many Windows users have disabled UAC. While malware was mostly avoiding UAC altogether, legitimate software was also being rewritten to not require elevation prompts, so there are fewer UAC prompts than ever to wrangle, which should make it easier to spot any suspicious activity.”

According to Faulhaber, approximately 23% of malware detections per day are associated with scenarios in which UAC was also disabled, either by the malicious code which needs to exploit a vulnerability to gain admin privileges, or by the users themselves, tricked through social engineering techniques.

Source

[Bearcat]

Personally I have UAC turned off, as I don't like it. Am I more at risk for being infected? Probably, but I do try to use common sense while surfing the net and keep an up to date back up on another HDD not connected to the system just in case.

[solin]

Most do not like the limited user rights. That's not like a way out, but a setback. Temporarily solved with common sense and caution are the main thing, having a backup is a good thing.

[jock]

It also warns you that you have trojan problems when you don't
I switched off automatic updates on my daughters computer and the Spyware program on MSE and she started getting trojan problems with MSE.
MalwareBytes also pounced on it picking up the problem with MSE on it 's scan.
It gave the same Trojan problem as MSE but when I went in to Quarantine with M/bam it just said Windows Security program switched off.
So basically spent most of the day trying to find out MSE and Malwarebytes were warning of the so called Trojans only to find out it was because I had turned a few of Windows security programs off.
I can do without programs like that so got rid of MSE and will not be using it again.

[Raymond]

I too have UAC disabled because it is annoying and has its weakness. Check out the article below on how easy it is for a malware to drop to another location and also adding itself to auto startup.
http://www.raymond.cc/blog/archives/2010/06/07/weaknesses-windows-7-user-account-control/

[sm1]

Thanks for sharing

[INDRANIL]

UAC is not good at all for me. But useful for most of the time. Anyway nice share .