Unless users properly read the User Access Control (UAC) in Windows, there's no guarantee that malware isn't executed with administrator rights. Researchers have developed malware that can trick users into manually providing administrator rights to malware.
UAC has to prevent malware from gaining Windows administrators rights by asking users for permission before software gets administrator rights. UAC is unfortunately not unfailing unless users inspect the UAC windows in detail, researchers of security company Cyclane warn.
The researchers developed a proof of concept of malware that tricks users. The malware waits until an user starts a process that requires administrator rights and uses the same process to execute the malware. The attack has to be tailored to the process the user starts. The researchers have created two examples for Windows processes, a command line tool and software that edits the registry, but according to the researchers also other processes can be abused.
In case of the command line tool, the malware waits until the user starts a command line with administrator rights. The malware then hijacks the process and asks the user for administrator rights for itself. The malware then also executes its own code through the command line. After it has execeuted its code, another command line window is opened so the user doesn't notice anything.
The attack with the registry editor is a little more complicated, with this method an external .reg file is silently loaded. This .reg file makes it possible to make further registry edits. Thereafter the malware opens a new registry window so again the user doesn't notice anything. The process requires the users to click OK on two UAC notifications.
The Cylance researchers underline that their malware doesn't abuse a bug in UAC but abuse the way UAC works. Users can defend themselves by properly inspecting the UAC warning and by clicking on more information to see for what permission is asked. Unfortunately this requires some technical knowledge to make a proper decision which is why some users will always remain vulnerable to this attack.
