We always recommend not to use a Windows user with admin privileges as our default Windows user. Actually, most of the malware relies in the fact that people use high privileges users on their system so when a malware is executed it can control the entire system.
It’s very recommendable to use Windows with a regular user account, in order to avoid most of the malware actions that require admin rights (install rootkits, modify system files, registry or services,…) . However it’s really important to keep our system updated. You should install Windows updates every month because even if your default Windows user hasn’t got admin privileges, you could still have problems if you execute a malware.
Let me show you an example.
Several months ago I was analyzing a new malware. The malware code had several features (creation of files in system directories, service/driver installation, code injection, creation of new autorun registry entries) that require administrative privileges to be accomplished. If the malware is executed as a regular user, it tries to exploit the MS08-066 vulnerability to elevate its privileges. By this way, if the system hasn’t been patched with MS08-066 it gets control of the entire system and the malware is executed with administrative rights.
Look at the following code:
UPX0:29A02A67 push offset aAdvpack_dll ; “advpack.dll”
UPX0:29A02A6C call LoadLibraryA
UPX0:29A02A72 test eax, eax
UPX0:29A02A74 jz short loc_29A02A84
UPX0:29A02A76 push offset aIsntadmin ; “IsNTAdmin”
UPX0:29A02A7B push eax ; hModule
UPX0:29A02A7C call GetProcAddress
UPX0:29A02A82 jmp short loc_29A02A88
First it checks whether the user has administrative privileges. If not, it tries to exploit the MS08-066 vulnerability to elevate its privileges:
UPX0:29A02A96 ms08_066_Exploit: ; CODE XREF: MalwareActions+5Aj
UPX0:29A02A96 call sub_29A013E0
UPX0:29A02A9B test eax, eax
UPX0:29A02A9D jnz short loc_29A02AAD
UPX0:29A02A9F call sub_29A01520
UPX0:29A02AA4 &
nbsp; test eax, eax
UPX0:29A02AA6 jnz short loc_29A02AAD
[…]
UPX0:29A01471 call WSAStartup
UPX0:29A01476 push offset aHaldispatchtab ; “HalDispatchTable”
UPX0:29A0147B call MyGetProcAddress ; Func_GetProcAddress
UPX0:29A01480 push offset aPslookupproces ; “PsLookupProcessByProcessId”
UPX0:29A01485 mov Handle_HalDispatchTable, eax
UPX0:29A0148A call MyGetProcAddress ; Func_GetProcAddress
UPX0:29A0148F cmp Handle_HalDispatchTable, 0
UPX0:29A01496 mov Handle_PsLookupProcessByProcessId, eax
UPX0:29A0149B jz short loc_29A014BD
With this piece of code, if the system hasn’t been updated with the MS08-066 patch, the malware would be able to do whatever it want. So even if your Windows user hasn’t got admin privileges you should update your system every month. It’s really important if you don’t want to be owned.