We always recommend not to use a Windows user with admin privileges as our default Windows user. Actually, most of the malware relies in the fact that people use high privileges users on their system so when a malware is executed it can control the entire system.
It’s very recommendable to use Windows with a regular user account, in order to avoid most of the malware actions that require admin rights (install rootkits, modify system files, registry or services,…) . However it’s really important to keep our system updated. You should install Windows updates every month because even if your default Windows user hasn’t got admin privileges, you could still have problems if you execute a malware.
Let me show you an example.
Several months ago I was analyzing a new malware. The malware code had several features (creation of files in system directories, service/driver installation, code injection, creation of new autorun registry entries) that require administrative privileges to be accomplished. If the malware is executed as a regular user, it tries to exploit the MS08-066 vulnerability to elevate its privileges. By this way, if the system hasn’t been patched with MS08-066 it gets control of the entire system and the malware is executed with administrative rights.
Look at the following code:
UPX0:29A02A67                push   offset aAdvpack_dll ; “advpack.dll”
UPX0:29A02A6C                call   LoadLibraryA
UPX0:29A02A72                test   eax, eax
UPX0:29A02A74                jz     short loc_29A02A84
UPX0:29A02A76                push   offset aIsntadmin ; “IsNTAdmin”
UPX0:29A02A7B                push   eax            ; hModule
UPX0:29A02A7C                call   GetProcAddress
UPX0:29A02A82                jmp    short loc_29A02A88
First it checks whether the user has administrative privileges. If not, it tries to exploit the MS08-066 vulnerability to elevate its privileges:
UPX0:29A02A96 ms08_066_Exploit:Â Â Â Â Â Â Â Â Â Â Â ; CODE XREF: MalwareActions+5Aj
UPX0:29A02A96                call   sub_29A013E0
UPX0:29A02A9B                test   eax, eax
UPX0:29A02A9D                jnz    short loc_29A02AAD
UPX0:29A02A9F                call   sub_29A01520
UPX0:29A02AA4Â Â Â Â Â Â &
nbsp;         test   eax, eax
UPX0:29A02AA6                jnz    short loc_29A02AAD
[…]
UPX0:29A01471                call   WSAStartup
UPX0:29A01476                push   offset aHaldispatchtab ; “HalDispatchTable”
UPX0:29A0147B                call   MyGetProcAddress ; Func_GetProcAddress
UPX0:29A01480                push   offset aPslookupproces ; “PsLookupProcessByProcessId”
UPX0:29A01485                mov    Handle_HalDispatchTable, eax
UPX0:29A0148A                call   MyGetProcAddress ; Func_GetProcAddress
UPX0:29A0148F                cmp    Handle_HalDispatchTable, 0
UPX0:29A01496                mov    Handle_PsLookupProcessByProcessId, eax
UPX0:29A0149B                jz     short loc_29A014BD
With this piece of code, if the system hasn’t been updated with the MS08-066 patch, the malware would be able to do whatever it want. So even if your Windows user hasn’t got admin privileges you should update your system every month. It’s really important if you don’t want to be owned.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
