Malware turns off Windows' UAC, warns Microsoft

[Marshall Veteran]

Computerworld - Microsoft this week urged users to keep an oft-criticized Windows security feature turned on, even as it said that more malware is disabling the tool.

User Account Control (UAC) is the feature that debuted in Vista and revised in Windows 7 that prompts users to approve certain actions, including software installation.

UAC was "universally hated" in Vista, and was a major complaint about the unsuccessful operating system, a Gartner security analyst said more than two years ago.

"From a usability standpoint, no one was happy. And from a security standpoint, no one was happy either, because we knew that people get 'click fatigue,'" said John Pescatore of Gartner in the months before Windows 7's launch.

Microsoft took the complaints to heart, and downplayed UAC in Windows 7 after its data showed users got irritated when they faced more than two such prompts in a session at the computer.

This week, Microsoft's Malware Protection Center (MMPC) said that malware was increasingly turning off UAC as a way to disguise its presence on infected PCs.

To disable UAC, attack code must either exploit a bug that allows the hacker to gain administrative rights -- Microsoft calls those flaws "privilege elevation" vulnerabilities -- or trick the user into clicking "OK" on a UAC prompt.

Apparently, neither are difficult.

Some of the most-common threats now in circulation -- including the Sality virus family, Alureon rootkits, the Bancos banking Trojan and fake antivirus software -- have variants able to switch off UAC, said Joe Faulhaber of the MMPC team in a post to the group's blog.

One worm, dubbed "Rorpian" by Microsoft, is especially enamored with the anti-UAC tactic: In more than 90% of the cases involving Rorpian on a single day, MMPC observed the worm disabling UAC by exploiting a four-year-old Windows vulnerability.

Nearly one-in-four PCs that reported malware detections to Microsoft had UAC switched off, either because of malware antics, or because the user turned it off.

UAC has not been problem-free on the technical side, either. Months before Windows 7's debut, a pair of researchers revealed a bug in the feature that hackers could use to piggyback on preapproved Microsoft code to trick Windows 7 into granting malware full access rights.

Although Microsoft initially dismissed their reports, it later changed UAC.

Faulhaber provided a link to instructions for switching UAC on or off on Vista. They can also be used on Windows 7, but the final step is to pull the slider to "Never Notify" to turn off UAC.

Source

[mad_onion]

My understanding is that privilege escalation vulnerability are in fact pretty rare. But in regards to the news isn't it pretty obvious that malware might disable UAC. I mean if I was writing malware I would probably do that too....

[Anthonyd]

Yet, the user has to manually start the malware with administrative right which disables the UAC. So nothing new here, right?

[Hum]

OMG ! No UAC ???? How much do I have to pay to feel safe again ... :woot:

[Jen Smith]

Was never a fan of UAC myself.. always set my systems up the "proper" way with multiple accounts. One admin account, everything else runs as a standard user. Do it the old fashioned way requiring an admin username/password for elevation. UAC was always too easy to disregard and click through anyway, but I guess that's just what I'm used to growing up with Unix in the first place. Doubly so for my daughter's system... if its asking you for a password, chances are you're messing with something you shouldn't be.

[Kondrath]

Was never a fan of UAC myself.. always set my systems up the "proper" way with multiple accounts. One admin account, everything else runs as a standard user. Do it the old fashioned way requiring an admin username/password for elevation. UAC was always too easy to disregard and click through anyway, but I guess that's just what I'm used to growing up with Unix in the first place. Doubly so for my daughter's system... if its asking you for a password, chances are you're messing with something you shouldn't be.

I have no idea why I never thought of that. I always disable UAC completely just because it's annoying and I'd probably click "Continue" without really caring, anyway. Maybe I'll set it up like that eventually.

[jakem1]

I've personally never had a problem with UAC and happily leave it running as a final safety check whenever I'm doing something. I quite like the fact that it makes me think twice if it pops when I wasn't expecting it.

In regards to the article, it seems like typical Computerworld flamebait. It's pretty much devoid of facts and spends most of it's time dredging up Vista-era hate. Here's the best bit:

Apparently, neither are difficult.

Why provide any evidence to back up your claims when you can just make an unsubstantiated assumption :rolleyes:

Lazy "journalism" at its best.

[Denis W. Veteran]

The social engineering problem will never be solved, short of some real-time scanner catching culprits on the fly. The whole OS X fake antivirus scare from a few months ago was proof of that; users would willingly enter their credentials without thinking twice of what they're installing.

[bugsbungee]

The social engineering problem will never be solved, short of some real-time scanner catching culprits on the fly. The whole OS X fake antivirus scare from a few months ago was proof of that; users would willingly enter their credentials without thinking twice of what they're installing.

+1. Idiots will be idiots. We can't protect people from themselves in real life nevermind on their own computers - and the sooner this is realised the better.

[ThePitt]

UAC is annoying by definition. Most of the ppl I know, they disable it.

[hagjohn]

I barely see it, unless I'm updating something.

[xWhiplash]

I barely see it, unless I'm updating something.

I agree. Even as a standard user on my computer, I only see it about 8 times a month or so. I do not know why people complain about it so much.

[etempest]

I remember when MS initially decided to not have UAC prompt when turning UAC off and was resistant to the outcry about this until it became so bad, MS eventually reversed it's decision so turning off UAC would prompt you.

Vista UAC frequency was annoying, Win7 seems to get it right (for me).

[Rigby]

I don't use it. My account is set up as a standard user and I have Windows firewall configured to block everything outbound except for the programs I specifically allow. The problem with UAC is that it popped up for too many things (especially in Vista where it was in your face constantly). People got used to just clicking the UAC notice away without even reading it because it was so annoying. If I need admin access for a program or something I just click Run As Administrator and put in my password, and these days I rarely have to do that since people are finally learning to write their programs properly.

[Growled Member]

Was never a fan of UAC myself.. always set my systems up the "proper" way with multiple accounts. One admin account, everything else runs as a standard user. Do it the old fashioned way requiring an admin username/password for elevation. UAC was always too easy to disregard and click through anyway, but I guess that's just what I'm used to growing up with Unix in the first place. Doubly so for my daughter's system... if its asking you for a password, chances are you're messing with something you shouldn't be.

That's the exact same way I set up all my systems. My wife use to get annoyed with me and ask for the password, but after almost making a couple of bad boo-boos she has sense learned the value in the system. She would have a ton of malware installed left to her own devices.

[Aethec]

So...if you gain admin rights, you can disable UAC...

[dvb2000]

UAC was implemented in Windows mostly because a lot of looney linux fanatics constantly harangued the media and Microsoft and kicked up a scare campaign saying Windows NEEDED this type of protection to make it secure, "like linux" - lol

Unfortunately Microsoft took the "easy" path and implemented it, rather than stand up for themselves and their users and stuffed up Windows usability as a result.

+1 for the linux fanboys. Didn't do them any good though. Even though they bought down Windows, no one took up linux as a result!

[lalalawawawa]

Is this a joke or something?