Windows Vista has an especially annoying implementation of file permissions. As I’ve ranted on before, Administrator accounts within Vista aren’t really like the “root” accounts of *nix systems. The main difference lies with the fact that Administrators in Vista do not have outright permissions to access all files on the hard drive.**
This poor implementation of the permissions structure can be exploited by malware to make files that are undetectable to Anti-Virus products. Let’s go through the following demo to show you just how this works:
First off, I downloaded the eicar malware test file from here. It’s a file that’s detected by pretty much all anti-virus products out there.
I then ran the free version of AVG. AVG detected, and removed, the suspicious piece of malware. This is what’s supposed to happen. Now let’s introduce into here the Windows Vista Rootkit Deluxe aka. Windows Permissions.
This time I created a new account in Windows Vista, with user-level permissions. While the fact that I chose this account type is rather irrelevant, it does highlight the fact that programs don’t need to run with admin-level permissions to make this rootkit work. And new accounts in Vista can be made with ease when you’re on an administrator account to begin with; something which nearly all Vista home users are. A program only has to run a script with the command:
net user testaccnt /ADD
Now running as the user testaccnt, I downloaded the eicar file again, only this time I used the permissions to deny access to all but my own account. This included denying access to the main Administrator account.
And what happened? Because all but the dummy account had read/write access to the file, when I ran AVG as any account but the dummy one created, it didn’t detect the viral file.
Admins can’t delete the file manually through Explorer either (below, left.) That dummy account, however, can (below, right.) In fact, the easiest way to delete the file is for admins to use the CLI tool cacl, and re-assign the file’s permissions to match those of other “normal” files. The admin can then use del command or Explorer to rid themselves of the file.
There you have it folks: programs can create dummy accounts, and use those in conjunction with Windows permissions to evade themselves from the detection of anti-malware products. For all intents and purposes, a rootkit, included with every copy of Windows Vista out there. Because this is all permissions-related, I have a sneaking suspicion that anti-rootkit software won’t pick this up.
AVG’s Anti-Virus program has been confirmed, via this demo, to be susceptible to this kind of trickery. I have not tested the susceptibility of other anti-malware products.
**jabzor points out: System’ vs ‘Admin’; users run as admin or less while services and especially AV will run as ‘nt authority\system’ or ‘nt authority\networkservice’ unless they specify a custom account. Administrators can change the permissions to any file they want with ‘cacls’ a handy built-in cli tool I use all the time, similar to chmod for windows but more powerful.
Greetz: DanielG (pointed me to Eicar), jabzor, Murd0c, droops, slick0, StankDawg, RightCoast, BinRev, GameRadio (C4 & Kobar).
Comments
2 responses to “Windows Vista’s Built-in Rootkit”
It seems like Microsoft has tried so hard to secure Vista yet they gave malware creators a easier way to attack Vista users. I am kinda glad I don’t have Vista yet. Good find bro.
It’s not a bug, it’s a feature.