Researchers trick Windows users with UAC window

Unless users properly inspect the notification, User Access Control in Windows does not guarantee that malware will not run with administrator privileges. Researchers have created malware that can deceive users.

On Windows systems, UAC is intended to prevent malware that resides on a system from gaining administrator access by requiring users to grant permissions before running programs at that level. However, UAC isn’t foolproof unless users thoroughly inspect UAC windows, researchers at security firm Cylance warn.

The researchers developed a proof of concept of malware that could trick users. The malware waits for a user to start a process that needs administrative access, and then uses that same process to perform operations on a system. The attack must be tailored to the process that the user starts. The researchers have made examples for two Windows processes – the command-line tool and the program that can be used to edit the registry – but argue that other processes can also be abused.

In the case of the command-line tool, the malware waits for the user to launch the command-line with administrative access, and then pre-empts the user and asks for permission for such a process. The malware executes its own code via the command line. Then a new window of the command-line tool opens so that the user does not notice anything.

The registry editor attack is a little more complicated, quietly loading an external .reg file that can be used to perform custom registry edits. The malware then opens a new registry window, so that the user still gets the window he expects. He will then get a UAC window twice.

The Cylance researchers note that this is not a bug in UAC, but a way to exploit the way UAC works. Users can defend themselves by carefully inspecting the UAC messages and clicking ‘more information’, but they must have the technical knowledge to appreciate that information.