Vista’s Despised UAC Nails Rootkits
PCWorld has a story about test conducted AV-Test.org that was supposed to rate the most popular anti-virus products ability to detect rootkits. For people that don’t know, a rootkit is a program that takes complete control of a system, and tries to hide itself deep within the operating system. They are notoriously difficult to detect once they are installed. The most interesting result from this test wasn’t necessarily the results about which product detected what, but the revelation that Vista’s security framework, specifically User Access Control (UAC) was really effective at preventing rootkit infection. The test took 30 rootkits written for Windows XP and tested various anti-malware and anti-rootkit suites. Some of them scored fairly well, but none were perfect. Of the 30 XP rootkits, only 6 would actually run on Vista, and in order to get them to run UAC had to be disabled. This means that UAC has significantly raised the bar of entry for rootkits on Windows. This shouldn’t really come as a surprise to anyone familiarly with this area, but there seems to be a lot of loud mouths shouting that UAC is worthless and should be disabled. I have an anecdote that tells a different story.
The last product that I worked on was essentially a rootkit. It was a component of a broader intrusion detection system which needed real-time information about what was going on in the system. We wrote a simple device driver that intercepted all events within the kernel and logged them out to a database. This means that every file, registry key, key pressed, port opened, etc, was visible to this program and logged. We originally wrote it to work on XP, and an application to install it as a service, which involved a couple of calls to the Service Controller to install it. If the user was running with an Administrator account (which everyone in XP does) then the driver would be loaded completely invisibly. That means that any program that you have ever installed could very easily be spying on everything you, or any other user on your machine does. I say it could be “very easily” doing this, not because the code is particularly easy to write, but that the Internet is absolutely littered with rootkit code, especially the .cn domain. A little while ago we decided to update our driver to work under Vista. Since rootkits are essentially an extension of the operating system, they become very dependent on certain structures and features of an OS and tend to only work under that version. So we had to change the code a little bit to get it to run, but for the most part, it was the same program. The only real difference between the two version was that on Vista, even if the user is logged in as Administrator, the installation of the service would fail if it wasn’t elevated with a UAC prompt. Privileges in Windows works with tokens; each user and group has a token, there is a system level administrator token, etc. When a program starts, it is given the token of the user, and is run with what ever permissions that the user has. So, users of the Administrator group in XP would pass along Administrator, or system level, permissions to any applications. The difference between XP and Vista, is that when a user is in the Administrators group their token in Vista is not a complete system access token. For an application to receive system level access, it must be spawned by a system level user group (SYSTEM, LOCAL SERVICE, etc) or being elevated by an administrator with a UAC prompt. This prompt assures that the user behind the keyboard is aware that they are giving this application complete access to the system. Sure, it can get a little annoying from time to time, but I’d rather have a prompt alerting me every so often as opposed to a rootkit silently being installed.